https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21655#M3579 <P>You're absolutely right. Take out the NOT.</P> Sun, 08 Apr 2012 20:11:54 GMT Stephen_Sorkin 2012-04-08T20:11:54Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21647#M3571 <P>I have a search using transaction and the startswith/endswith but I don't know how to call the Task_time field in the starts with of my transaction "Encode Time" and the Task_time field in the ends with "Transfer Time"?</P> Mon, 28 Sep 2020 11:38:30 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21647#M3571 tb582 2020-09-28T11:38:30Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21648#M3572 <P>You can use eval to achieve this, by evaluating those fields before the transaction. Suppose the initial event includes the word "Encode" and the final event contains the word "Transfer": For example:</P> <PRE><CODE>... | eval Encode_Time=if(searchmatch("Encode"), Task_time, null()) | eval Transfer_time=if(searchmatch("Transfer",Task_time, null() | transaction &lt;uid&gt; </CODE></PRE> <P>Alternately, if the Encode event really starts the transaction and the Transfer event really ends it, you can just use eval after the transaction to pick the values of the Task_time multivalued field:</P> <PRE><CODE>... | transaction &lt;uid&gt; | eval Encode_time = mvindex(Task_time, 0) | eval Transfer_time = mvindex(Task_time, -1) </CODE></PRE> Sun, 08 Apr 2012 00:12:16 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21648#M3572 Stephen_Sorkin 2012-04-08T00:12:16Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21649#M3573 <P>hmm ok I think we are getting somewhere, but encode and transfer are not really events they are simply strings. I'm forcing them to be the first and last in the transaction by using the starts with/ends with parameters</P> Sun, 08 Apr 2012 03:30:21 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21649#M3573 tb582 2012-04-08T03:30:21Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21650#M3574 <P>Here's my search as it currently stands:</P> <P>index=myindex sourcetype=box-app host=box04* OR host=box050 | transaction task_id startswith="SUCCESS : 100% : Encode completed" endswith="SUCCESS : 100% : (PUSH) completed" | eval starswith = mvindex(Task_time, 0) | rename Task_time AS " Encode" | eval endswith = mvindex(Task_time, -1) | rename Task_time AS "Copy Transfer" | fields " Encode" "Copy Transfer"</P> Mon, 28 Sep 2020 11:38:35 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21650#M3574 tb582 2020-09-28T11:38:35Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21651#M3575 <P>You should be able to search:</P> <P><CODE>index=myindex sourcetype=box-app host=box04* OR host=box050 | transaction task_id startswith="SUCCESS : 100% : Encode completed" endswith="SUCCESS : 100% : (PUSH) completed" | eval Encode = mvindex(Task_time, 0) | eval "Copy Transfer" = mvindex(Task_time, -1) | table "Encode" "Copy Transfer"</CODE></P> Sun, 08 Apr 2012 17:23:53 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21651#M3575 Stephen_Sorkin 2012-04-08T17:23:53Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21652#M3576 <P>doesent seem to work i get all the resutls within my start/end transaction. Not just the two above that I'm looking for. They all have <BR /> Task_time fields and I cant tell which ones are which if I cant rename them approprately.</P> Sun, 08 Apr 2012 19:50:37 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21652#M3576 tb582 2012-04-08T19:50:37Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21653#M3577 <P>If you want to exclude other events from the transaction, you can add to the search part before the first pipe: <CODE>NOT ("SUCCESS : 100% : Encode completed" OR "SUCCESS : 100% : (PUSH) completed"</CODE>.</P> <P>Are you saying that the "Encode" and "Copy Transfer" fields have more than one value each?</P> Sun, 08 Apr 2012 19:54:24 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21653#M3577 Stephen_Sorkin 2012-04-08T19:54:24Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21654#M3578 <P>why would I add NOT if the encode and copy strings are exactly what I'm trying to get? </P> <P>They each have one Task_time field per task_id</P> Mon, 28 Sep 2020 11:38:40 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21654#M3578 tb582 2020-09-28T11:38:40Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21655#M3579 <P>You're absolutely right. Take out the NOT.</P> Sun, 08 Apr 2012 20:11:54 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21655#M3579 Stephen_Sorkin 2012-04-08T20:11:54Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21656#M3580 <P>hehe - ok finally that gets me down to the two lines per task_id that I'm looking for. Next is since both the encode and the copy line have a value for Task_time, how do I rename the enocde Task_time field as one thing and the copy as another?</P> Mon, 28 Sep 2020 11:38:43 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21656#M3580 tb582 2020-09-28T11:38:43Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21657#M3581 <P>Like in the original answer, you have two choices:</P> <OL> <LI>Pick out the fields before the transaction using <CODE>eval Encode=if(searchmatch("Encode completed", Task_time, null())</CODE> and <CODE>eval Transfer=if(searchmatch("PUSH completed", Task_time, null())</CODE>. This will leave each transaction with one value for Encode, and one value for Transfer.</LI> <LI>After the transaction, slice the multivalued "Task_time" field into two separate values using mvindex.</LI> </OL> Sun, 08 Apr 2012 20:26:07 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21657#M3581 Stephen_Sorkin 2012-04-08T20:26:07Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21658#M3582 <P>where do I stick this, which converts milaseconds to HH:MM:SS?</P> <P>eval inSec = Task_time / 1000 | fieldformat Task_time = tostring(inSec, "duration")</P> Mon, 28 Sep 2020 11:38:45 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21658#M3582 tb582 2020-09-28T11:38:45Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21659#M3583 <P>You can put those at the very end, but you have to do it twice, once for each of the fields "Encode" and "Transfer", not for "Task_time". Also, you can combine the two. For instance, add: <CODE>| fieldformat Encode = tostring(Encode/1000, "duration") | fieldformat Transfer = tostring(Transfer/1000, "duration")</CODE></P> Sun, 08 Apr 2012 21:05:35 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21659#M3583 Stephen_Sorkin 2012-04-08T21:05:35Z https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21660#M3584 <P>keep getting "Error in 'fieldformat' command: Typechecking failed. '/' only takes numbers."</P> Sun, 08 Apr 2012 22:55:36 GMT https://community.splunk.com/t5/Splunk-Search/Rename-same-field-different-things/m-p/21660#M3584 tb582 2012-04-08T22:55:36Z