Archive
Highlighted

help to rename automatically random pie label

Contributor

Hi

I use the search below

[| inputlookup host.csv 
    | table host] index="x" sourcetype="x"
| bucket _time span=3m 
| where process_cpu_used_percent>80 
| dedup host process_name 
| stats count(host) as Total by process_name 
| sort -Total limit=10

processname correspond to a piece of my pie chart and can be different at each times
I search an solution to rename automatically the process
name because one of them are not explicit
example : I have a process_name called "mfevtp" which correspond to McAFEE
So I want to display "McAFEE" in my label instead "mfevtp"
How to do this please?
thanks
regards

0 Karma
Highlighted

Re: help to rename automatically random pie label

Path Finder

What does this query give you? ->
index="x" sourcetype="x" | table processname | dedup processname

The only output of this query comes as a label in your pie chart.
I am not sure whether aliasing is there or not in Splunk. You can try this manual process:

 [| inputlookup host.csv 
     | table host] index="x" sourcetype="x"
 | bucket _time span=3m 
 | where process_cpu_used_percent>80 
 | dedup host process_name 
 | stats count(host) as Total by process_name 
 | sort -Total limit=10) | eval process_name=if(process_name="mfevtp","McAFEE ",process_name)
0 Karma
Highlighted

Re: help to rename automatically random pie label

Contributor

thanks it works but sometimes I have not the exact name for the process name
and if I do eval processname=if(processname="mfevtp*","McAFEE ",process_name) it doesnt works
an idea please??

0 Karma
Highlighted

Re: help to rename automatically random pie label

Path Finder

If u know all possible values of the process_name, add them together in a case statement.

0 Karma
Highlighted

Re: help to rename automatically random pie label

Contributor

yes but my question is why I can use *
sometime a process name can be named "mfetvtp1" or "mfevtp2"
But both have to be called McAFEE
So why I can do process_name="mfevtp*"??

0 Karma
Highlighted

Re: help to rename automatically random pie label

Contributor

My case eval works but sometimes I need to use *

`| eval processname=case(processname=="mfevtps*")
But when I am doing * I have no results
How to use * in my case eavl please?

0 Karma
Highlighted

Re: help to rename automatically random pie label

Champion

Hi

Try this

...<your query>| eval process_name = if(like(process_name,"mfetvtp%"),"McAFEE",process_name)

View solution in original post

0 Karma
Highlighted

Re: help to rename automatically random pie label

Contributor

hi it seems to be ok!
last question, I have a lot of process name
so how to concatene them in if like??

0 Karma
Highlighted

Re: help to rename automatically random pie label

Champion

Hi

Try like

| eval process_name = case(like(process_name,"mfetvtp%"),"McAFEE",like(process_name,"abc%"),"ABC",1=1,process_name)

keep1=1 in your query, if none of the condition was matched it will return the value.

If its fine, please accept the answer.

0 Karma
Highlighted

Re: help to rename automatically random pie label

Contributor

many thanks

0 Karma