Dashboards & Visualizations

How to get two different field names

aditsss
Builder

Hi Everyone,

I am using below query:

index=abc  ns=blazegateway|stats count by app_name|eval f1="hg"

I am getting result as :

app_name                     count                  f1

abc                                       1                          hg

bcd                                          2                         hg

My requirement is for my column f1 I am getting hg in both rows I want some other name in 2nd row

What changes I should do in my query

Labels (3)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

Depending on how you determine what value should go in f1, you could use a case function, e.g.

 

| eval f1=case(app_name="abc","hg")
| eval f2=case(app_name="bcd","xy")

 

View solution in original post

aditsss
Builder

@ITWhisperer 

 

Thank you so much

0 Karma

ITWhisperer
Ultra Champion

Depending on how you determine what value should go in f1, you could use a case function, e.g.

 

| eval f1=case(app_name="abc","hg")
| eval f2=case(app_name="bcd","xy")

 

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!