Hi,
I am having correct value in current field and want to use that value as column name which is currently showing as A. Please help to solve this issue. For any other information please let me know.
e.g if current is '06-24-2018' then in table header row should have column name as '06-24-2018'
| base search
| eval current = strftime(currentTime,"%m-%d-%Y")
| eval A = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| table "Project",A
something like this -
index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value
in your case |eval {current}=A
Ref. http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval#4._Use_the_value_of_one_field...
After running this you need to check your interesting field and add a last | stats values(06-15-2018) by "Project"
assuming your currentTime value is 06-15-2018
My current SPL is like below in which currently weeks are hard -coded with values.
| eval "06-04-2018" = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval "05-28-2018" = if(P1P1>0 OR P2P1>0,"R",if(P3P1>0,"Y","G"))
| eval "05-21-2018" = if(P1P2>0 OR P2P2>0,"R",if(P3P2>0,"Y","G"))
| eval "05-14-2018" = if(P1P3>0 OR P2P3>0,"R",if(P3P3>0,"Y","G"))
| eval "05-07-2018" = if(P1P4>0 OR P2P4>0,"R",if(P3P4>0,"Y","G"))
| table "Project","05-07-2018","05-14-2018","05-21-2018","05-28-2018"," 06-04-2018"
| sort Project
Using above query in SPL, data is in showing in below structure(Project field is already exist in the event data).
[Screenshot attached ]
Now I want to display my header column with week’s date. I modified query as advised by you but it did not work.
| eval current = strftime(relative_time(now(),"@w1"),"%m-%d-%Y")
| eval A = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval {current} = A
Thanks in advance for your help!
alt text
Hi,
Perhaps I am not getting your use case or I am not able to explain. At any rate I have written a query on the default _audit index , so that you can run the query as it is (select last 24 hours)
index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-27-2018
Now, the 06-27-2018 needs to be replaced by current day -1, so if you run this on 30th June you would write something like - index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-29-2018
Is this something like what you need?
Hi There,
Can you expand on the problem a little more, such as what the data looks like and your expected outcome? At first glance from the above data my thoughts would be to use the CHART command by the field in question
I want to display column name with a date as an output of eval command and This date is also coming from a eval command output.
Hope this information helps you to provide me solution.
Thanks in advance!
@vikas_baranwal can you give the output table format. While it is clear that you need Date as table header, it is not clear what would each row look like. What is your current data. Sample data and current table and expected table format would be helpful.