Archive

change column name with specified new column value in Splunk

Path Finder

Hi,

I am having correct value in current field and want to use that value as column name which is currently showing as A. Please help to solve this issue. For any other information please let me know.

e.g if current is '06-24-2018' then in table header row should have column name as '06-24-2018'

| base search
| eval current = strftime(currentTime,"%m-%d-%Y")
| eval A = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| table "Project",A

Tags (1)
0 Karma

Champion

something like this -

  1. Use the value of one field as the name for a new field In this example, use each value of the field counter to make a new field name. Assign to the new field the value of the Value field. See Field names under the Usage section.

index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value
in your case |eval {current}=A
Ref. http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval#4._Use_the_value_of_one_field...

After running this you need to check your interesting field and add a last | stats values(06-15-2018) by "Project"
assuming your currentTime value is 06-15-2018

0 Karma

Path Finder

My current SPL is like below in which currently weeks are hard -coded with values.

| eval "06-04-2018" = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval "05-28-2018" = if(P1P1>0 OR P2P1>0,"R",if(P3P1>0,"Y","G"))
| eval "05-21-2018" = if(P1P2>0 OR P2P2>0,"R",if(P3P2>0,"Y","G"))
| eval "05-14-2018" = if(P1P3>0 OR P2P3>0,"R",if(P3P3>0,"Y","G"))
| eval "05-07-2018" = if(P1P4>0 OR P2P4>0,"R",if(P3P4>0,"Y","G"))
| table "Project","05-07-2018","05-14-2018","05-21-2018","05-28-2018"," 06-04-2018"
| sort Project

Using above query in SPL, data is in showing in below structure(Project field is already exist in the event data).

[Screenshot attached ]

Now I want to display my header column with week’s date. I modified query as advised by you but it did not work.

| eval current = strftime(relative_time(now(),"@w1"),"%m-%d-%Y")
| eval A = if(Palt text1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval {current} = A

Thanks in advance for your help!
alt text

0 Karma

Champion

Hi,
Perhaps I am not getting your use case or I am not able to explain. At any rate I have written a query on the default _audit index , so that you can run the query as it is (select last 24 hours)
index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-27-2018

Now, the 06-27-2018 needs to be replaced by current day -1, so if you run this on 30th June you would write something like - index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-29-2018

Is this something like what you need?

Communicator

Hi There,

Can you expand on the problem a little more, such as what the data looks like and your expected outcome? At first glance from the above data my thoughts would be to use the CHART command by the field in question

0 Karma

Path Finder

I want to display column name with a date as an output of eval command and This date is also coming from a eval command output.
Hope this information helps you to provide me solution.
Thanks in advance!

0 Karma

SplunkTrust
SplunkTrust

@vikas_baranwal can you give the output table format. While it is clear that you need Date as table header, it is not clear what would each row look like. What is your current data. Sample data and current table and expected table format would be helpful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!