Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom text - Table

mahesh27
Communicator
‎07-23-2024 01:16 PM 
index=testindex source=application.logs
|rex "ErrorCode\:\[?<Error_Code>\d+]"
|search Error_Code IN(200, 500, 400, 505, 500)
|stats count by Error_Code
|Where count > 5

output:

Error_Codecount
20020
500100
40040
50545
50032


Instead of Errorcodes we want to display a custom text  as shown below.
How can we do this??

Expected output:

Error_Codecount
Application received with errorcode 20020
Application received with errorcode 500100
Application received with errorcode 40040
Application received with errorcode 50545
Application received with errorcode 50032

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2024 01:41 PM

Use the eval command to replace the Error_Code value with the desired text.

 

index=testindex source=application.logs
| rex "ErrorCode\:\[?<Error_Code>\d+]"
| search Error_Code IN (200, 500, 400, 505)
| stats count by Error_Code
| eval Error_Code = "Application received with errorcode " + Error_Code
| where count > 5

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

mahesh27
Communicator
‎07-23-2024 02:08 PM

hi @richgalloway , Even i tried with eval command but it did not work.
But i tried as per  your query it worked, thank you.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2024 05:16 AM

I don't understand the reply.  Did my answer work or not?  If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2024 01:41 PM

Use the eval command to replace the Error_Code value with the desired text.

 

index=testindex source=application.logs
| rex "ErrorCode\:\[?<Error_Code>\d+]"
| search Error_Code IN (200, 500, 400, 505)
| stats count by Error_Code
| eval Error_Code = "Application received with errorcode " + Error_Code
| where count > 5

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...