Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom text - Table

mahesh27
Communicator
‎07-23-2024 01:16 PM 
index=testindex source=application.logs
|rex "ErrorCode\:\[?<Error_Code>\d+]"
|search Error_Code IN(200, 500, 400, 505, 500)
|stats count by Error_Code
|Where count > 5

output:

Error_Codecount
20020
500100
40040
50545
50032


Instead of Errorcodes we want to display a custom text  as shown below.
How can we do this??

Expected output:

Error_Codecount
Application received with errorcode 20020
Application received with errorcode 500100
Application received with errorcode 40040
Application received with errorcode 50545
Application received with errorcode 50032

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2024 01:41 PM

Use the eval command to replace the Error_Code value with the desired text.

 

index=testindex source=application.logs
| rex "ErrorCode\:\[?<Error_Code>\d+]"
| search Error_Code IN (200, 500, 400, 505)
| stats count by Error_Code
| eval Error_Code = "Application received with errorcode " + Error_Code
| where count > 5

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

mahesh27
Communicator
‎07-23-2024 02:08 PM

hi @richgalloway , Even i tried with eval command but it did not work.
But i tried as per  your query it worked, thank you.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2024 05:16 AM

I don't understand the reply.  Did my answer work or not?  If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2024 01:41 PM

Use the eval command to replace the Error_Code value with the desired text.

 

index=testindex source=application.logs
| rex "ErrorCode\:\[?<Error_Code>\d+]"
| search Error_Code IN (200, 500, 400, 505)
| stats count by Error_Code
| eval Error_Code = "Application received with errorcode " + Error_Code
| where count > 5

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...