Archive

how to display a field two times in a table with the original values and after a rename of the values

Contributor

hi

As you can see below, I am doing a stats with the field "process_name"
In order to be more comprenhensive, I am doing a rename of this field with a case function
But in my table, I would like to display this field 2 times : one time with the original name and another time with the name done after the rename
How I can do this please??

| stats values xxxxxx by host process_name 
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield")
| rename process_name as "Process name" 
| table "Process name" 
Tags (1)
0 Karma
1 Solution

Path Finder

Maybe evaluate it to a new field.
| stats values xxxxxx by host process_name
| eval "Process name" =case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield")
| table "Process name" process_name

View solution in original post

0 Karma

Path Finder

Maybe evaluate it to a new field.
| stats values xxxxxx by host process_name
| eval "Process name" =case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield")
| table "Process name" process_name

View solution in original post

0 Karma

Contributor

no doesnt works

0 Karma

Path Finder

JIP31 check what your case statement, for me it returns an error.
Without seeing your data I cant be sure I have your syntax right, but maybe try the below.

| eval process_name=case(process_name
like "mfev%",process_name,
process_name like "mcdatrep",
process_name,
process_name=="mcshield",
process_name) | eval "Process name" =
process_name | table "Process name"
process_name

0 Karma

Contributor

like this it works thanks!

0 Karma