https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39743#M9100 <P>You probably want <CODE>replace</CODE> (<A href="http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Replace">http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Replace</A> <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>... | replace <A href="https://community.splunk.com/www.google.com" target="test_blank">www.google.com</A> with Google </CODE></PRE> Mon, 20 Aug 2012 20:37:50 GMT Ayn 2012-08-20T20:37:50Z https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39742#M9099 <P>Hi,<BR /> I am using splunk to monitor the performance of a number of long urls and the search strring is like : </P> <P>| stats max(time_in_sec), perc90(time_in_sec), perc75(time_in_sec), perc50(time_in_sec), avg(time_in_sec), min(time_in_sec), stdev(time_in_sec) by ping_url</P> <P>It's working fine but the url is too long to fit in the dashboard. I am wondering if there is a way to function to display the short name in the result? Thanks!</P> <P>e.g. RENAME <A href="http://www.google.com" target="_blank">www.google.com</A> AS Google</P> Mon, 28 Sep 2020 12:17:52 GMT https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39742#M9099 shangshin 2020-09-28T12:17:52Z https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39743#M9100 <P>You probably want <CODE>replace</CODE> (<A href="http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Replace">http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Replace</A> <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>... | replace <A href="https://community.splunk.com/www.google.com" target="test_blank">www.google.com</A> with Google </CODE></PRE> Mon, 20 Aug 2012 20:37:50 GMT https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39743#M9100 Ayn 2012-08-20T20:37:50Z https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39744#M9101 <P>I can see a few options;</P> <P>If you have a large number of URLs you can extract the significant portion with the <CODE>substr</CODE> function. </P> <PRE><CODE>... | eval shorty = substr(url,40) | the_rest_of_your_search by shorty </CODE></PRE> <P>If you have a few loooong but fairly static urls you can set up a <CODE>case</CODE> evaluation</P> <PRE><CODE>...| eval shorty = case(url == "/long/url/number1", "long1", url == "/long/url/number2", long2, url == "really/long/url/number/3", "long3") | the_rest_of_your_search by shorty </CODE></PRE> <P>See the <A href="http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/CommonEvalFunctions">docs for eval</A> for more info.</P> <P>If all your URLs start the same way, e.g. /this/is/the/base/directory/in/all/urls/for/the/site/page1.htm, you can make a field extraction that skips the redundant levels (or as Ayn suggests, use <CODE>replace</CODE>).</P> <P>Hope this helps somewhat,</P> <P>Kristian</P> <P>edit: update, spelling</P> Mon, 20 Aug 2012 20:39:55 GMT https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39744#M9101 kristian_kolb 2012-08-20T20:39:55Z https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39745#M9102 <P>Thanks a lot! This is very helpful!!!<BR /> I ma wondering if the CASE function supports regular expression so the search string is cleaner? e.g.</P> <PRE><CODE>...| eval shorty = case(url == "*number1*", "long1", url == "*number2*", long2, url == "*number3*", "long3") | the_rest_of_your_search by shorty </CODE></PRE> Tue, 21 Aug 2012 13:04:59 GMT https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39745#M9102 shangshin 2012-08-21T13:04:59Z https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39746#M9103 <P>You can use the <CODE>match</CODE> function for this. See more info in the docs on <CODE>eval</CODE> functions. <A href="http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions</A></P> Tue, 21 Aug 2012 13:16:56 GMT https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39746#M9103 Ayn 2012-08-21T13:16:56Z https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39747#M9104 <P>I would really recommend the use of lookup tables here, that way you can always add/modidy/delete any entries there that you may use in your searches. This way you can configure in an eficient way how you want each url to be displayed in order to be readable too. </P> <P>Here it is some easy to follow info on the subjetc:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0/knowledge/Addfieldsfromexternaldatasources">http://docs.splunk.com/Documentation/Splunk/5.0/knowledge/Addfieldsfromexternaldatasources</A></P> Wed, 19 Dec 2012 02:45:37 GMT https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39747#M9104 GKC 2012-12-19T02:45:37Z https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39748#M9105 <P>What does the 40 stand for in substr(url,40)?</P> Sat, 02 May 2020 00:16:29 GMT https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39748#M9105 c48571 2020-05-02T00:16:29Z https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39749#M9106 <P>@c48571<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#substr.28X.2CY.2CZ.29">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#substr.28X.2CY.2CZ.29</A></P> <P>see reference</P> <P>and try googling <CODE>substr site:docs.splunk.com</CODE> </P> Sat, 02 May 2020 00:38:36 GMT https://community.splunk.com/t5/Splunk-Search/Rename-group-by-value/m-p/39749#M9106 to4kawa 2020-05-02T00:38:36Z