topic Re: Rename source in chart in Splunk Search

Rename source in chart

gnovak — Wed, 21 Mar 2012 18:03:54 GMT

I have a dashboard that is displaying 3 charts and a table. In the 3 charts the legend mostly consists the source path of the logs files that are being displayed in the charts. The source path is pretty long and I'd really like to just have the source path displayed as one word describing each source.

I really only want it for these charts on the dashboard and not all throughout splunk. Anyone have an idea of what the best way to do this? Do I have to put something in the actual search to tell splunk to relabel the source?

Example: /opt/log/sandstorm/home/dataserver.log.

I want it displayed in chart as just Sandstorm and not /opt/log/sandstorm/home/dataserver.log

Re: Rename source in chart

Ayn — Wed, 21 Mar 2012 18:31:53 GMT

In the search you're using to generate each graph, sometime before your stats/chart/timechart command, create a new field that holds only the last portion of the source field:

... | rex field=source "/(?<source_short>[^/]+)$"

Then split by that field instead of by source.

Re: Rename source in chart

gnovak — Mon, 28 Sep 2020 11:33:49 GMT

Well I tried doing this but I haven't seen the result I need. My search I was using was: sourcetype="cron_BalanceEmail" NOT host=".bmp2." earliest=-1d@d latest=-0d@d sent ([BalanceEmail] OR [null]) | rex field=_raw "\w+] ?(?[\d]+) of (?[\d]+) of email notification sent." | table source TotalEmailsToSend TotalEmailsSent | dedup source

Re: Rename source in chart

gnovak — Thu, 22 Mar 2012 15:15:54 GMT

The location of the sourcetype for all of these logs is in the same location but each one is named differently. such as /opt/log/sandstorm/logs/sandstorm.log, /opt/log/snowstorm/logs/snowstorm.log, etc. I just want the main words like Sandstorm or Snowstorm to show up for source. I'll keep trying but any other comments are welcome!

Re: Rename source in chart

Ayn — Thu, 22 Mar 2012 15:16:35 GMT

I don't see the rex command to create a short version of the source field in there?

Re: Rename source in chart

gnovak — Thu, 22 Mar 2012 15:29:18 GMT

I didn't add that to my response because what I had didn't work. I'm still working on it.

Re: Rename source in chart

gnovak — Mon, 28 Sep 2020 11:33:51 GMT

If i add this, the results in the table are still the same: sourcetype="cron_BalanceEmail" NOT host=".bmp2." earliest=-1d@d latest=-0d@d sent ([BalanceEmail] OR [null]) | rex field=_raw "\w+] ?(?[\d]+) of (?[\d]+) of email notification sent." | rex field=source "/(?[^/]+)$" | table source TotalEmailsToSend TotalEmailsSent | dedup source

Re: Rename source in chart

gnovak — Thu, 22 Mar 2012 15:31:31 GMT

i tried renaming source_short to other things, didnt' work. I tried making the regex | rex field=source "/opt/log/(?[^/]+)$" and that also didn't work. I'm not the best at regex but I've got a handy chart here...still trying different things!

Re: Rename source in chart

gnovak — Thu, 22 Mar 2012 16:06:33 GMT

Ok it did make a source_short field but the source listed isn't correct. I will try again

Re: Rename source in chart

gnovak — Mon, 28 Sep 2020 11:33:54 GMT

The field listed was the last portion of the log path. If the log path is /opt/log/dotinfo/eppcron/eppcron_balancememail.log, it listed as the source_short as only eppcron_balanceemail.log. I should list dotinfo.

Re: Rename source in chart

gnovak — Mon, 28 Sep 2020 11:33:57 GMT

This worked! sourcetype="cron_BalanceEmail" NOT host=".bmp2." earliest=-1d@d latest=-0d@d sent ([BalanceEmail] OR [null]) | rex field=_raw "\w+] ?(?[\d]+) of (?[\d]+) of email notification sent." | rex field=source "/(?[^/]+)/[^/]+/[^/]+$" | table source_short TotalEmailsToSend TotalEmailsSent | dedup source_short