Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change name of results dynamically

JoshuaJohn
Contributor
‎01-24-2017 07:14 AM

I have this search:

 index=nitro_iPad | rex "iPad-ip(?<storeNum>[^-]+)"  | rex "iOS(?<osversion>[^-]+)"  | table osversion storeNum | dedup storeNum

Here is an image of my results:
alt text

I want to alter my results so when it says ####j it would be ####_skate but for all of the letters present for example 1529k would turn into 1529_candy.

I figure a rename function would work but I tried to no avail I am guessing I just did it incorrectly.

Thank you!

Preview file
1 KB
0 Karma
Reply

somesoni2
Revered Legend
‎01-24-2017 07:49 AM

Give this a try

index=nitro_iPad | rex "iPad-ip(?<storeNum>[^-]+)"  | rex "iOS(?<osversion>[^-]+)"  | table osversion storeNum | eval storeNum=case(match(storeNum,"^\d+j$"),replace(storeNum,"^(\d+)j","\1_skate"),match(storeNum,"^\d+w+$"), replace(storeNum,"^(\d+)\w+$","\1_candy"),true(),storeNum) | dedup storeNum
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2017 07:35 AM

Hi JoshuaJohn,
try to add to your search something like this (I inserted in case function only two options, but you can insert other):

| eval storeNum=substr(storeNum,1,4)+case(substr(storeNum,5)="j","_skate",substr(storeNum,5)="k","_candy")

Bye.
Giuseppe

0 Karma
Reply

JoshuaJohn
Contributor
‎01-24-2017 09:02 AM

This works but it will completely ignore ones without a letter behind the name like 0126

0 Karma
Reply

woodcock
Esteemed Legend
‎01-24-2017 07:33 AM

Like this:

... | rex field=storeNum mode=sed "s/\D+$/_candy/"
0 Karma
Reply

JoshuaJohn
Contributor
‎01-24-2017 10:13 AM

Also works but the problem I am having here is with situations like 1502aa which would be 1502_marshmallow but 1407a would be 1407_crush instead 1502 would show up like this 1502_marshmallow_crush.

0 Karma
Reply

woodcock
Esteemed Legend
‎01-24-2017 10:22 AM

Then you chain them up like this:

 ... | rex field=storeNum mode=sed "s/k$/_candy/ s/aa$/_marshmallow/ s/a$/_crush/"
0 Karma
Reply

JoshuaJohn
Contributor
‎01-24-2017 10:40 AM

I am getting a weird search is waiting for input when I start to chain

0 Karma
Reply

woodcock
Esteemed Legend
‎01-24-2017 10:47 AM

Make sure that you are doing the tokening correctly. Download this app and check out the examples:

https://splunkbase.splunk.com/app/1603/

Check out the code for "Token Customization" examples.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...