Splunk Search

change column name with specified new column value in Splunk

vikas_baranwal
Path Finder

Hi,

I am having correct value in current field and want to use that value as column name which is currently showing as A. Please help to solve this issue. For any other information please let me know.

e.g if current is '06-24-2018' then in table header row should have column name as '06-24-2018'

| base search
| eval current = strftime(currentTime,"%m-%d-%Y")
| eval A = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| table "Project",A

Tags (1)
0 Karma

Sukisen1981
Champion

something like this -

  1. Use the value of one field as the name for a new field In this example, use each value of the field counter to make a new field name. Assign to the new field the value of the Value field. See Field names under the Usage section.

index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value
in your case |eval {current}=A
Ref. http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval#4._Use_the_value_of_one_field...

After running this you need to check your interesting field and add a last | stats values(06-15-2018) by "Project"
assuming your currentTime value is 06-15-2018

0 Karma

vikas_baranwal
Path Finder

My current SPL is like below in which currently weeks are hard -coded with values.

| eval "06-04-2018" = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval "05-28-2018" = if(P1P1>0 OR P2P1>0,"R",if(P3P1>0,"Y","G"))
| eval "05-21-2018" = if(P1P2>0 OR P2P2>0,"R",if(P3P2>0,"Y","G"))
| eval "05-14-2018" = if(P1P3>0 OR P2P3>0,"R",if(P3P3>0,"Y","G"))
| eval "05-07-2018" = if(P1P4>0 OR P2P4>0,"R",if(P3P4>0,"Y","G"))
| table "Project","05-07-2018","05-14-2018","05-21-2018","05-28-2018"," 06-04-2018"
| sort Project

Using above query in SPL, data is in showing in below structure(Project field is already exist in the event data).

[Screenshot attached ]

Now I want to display my header column with week’s date. I modified query as advised by you but it did not work.

| eval current = strftime(relative_time(now(),"@w1"),"%m-%d-%Y")
| eval A = if(Palt text1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval {current} = A

Thanks in advance for your help!
alt text

0 Karma

Sukisen1981
Champion

Hi,
Perhaps I am not getting your use case or I am not able to explain. At any rate I have written a query on the default _audit index , so that you can run the query as it is (select last 24 hours)
index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-27-2018

Now, the 06-27-2018 needs to be replaced by current day -1, so if you run this on 30th June you would write something like - index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-29-2018

Is this something like what you need?

paulbannister
Communicator

Hi There,

Can you expand on the problem a little more, such as what the data looks like and your expected outcome? At first glance from the above data my thoughts would be to use the CHART command by the field in question

0 Karma

vikas_baranwal
Path Finder

I want to display column name with a date as an output of eval command and This date is also coming from a eval command output.
Hope this information helps you to provide me solution.
Thanks in advance!

0 Karma

niketn
Legend

@vikas_baranwal can you give the output table format. While it is clear that you need Date as table header, it is not clear what would each row look like. What is your current data. Sample data and current table and expected table format would be helpful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...