Solved: How to rename xyseries columns?

ttriman · ‎01-06-2023

Hello - I am trying to rename column produced using xyseries for splunk dashboard.
Can I do that or do I need to update our raw splunk log?

The log event details=

data: { [-]
     errors: [ [+]
     ]
     failed: false
     failureStage: null
     event: GeneratePDF
     jobId: 144068b1-46d8-4e6f-b3a9-ead742641ffd
     pageCount: 1
     pdfSizeInMb: 7.250756
     }
     userId: user1@user.com

the current splunk query I have is -

 | stats count by data.userId, data.failed | xyseries data.userId, data.failed count

Currently - my data is returning as follows

data.userId	false	true
User1@user.com	2
User2@user.com	3	1
User3@user.com	2	2

Can I rename false = Successful and true = Failed?

Thank you in advance

richgalloway · ‎01-06-2023

Yes, you can rename the fields either before or after xyseries.

After:

| stats count by data.userId, data.failed 
| xyseries data.userId, data.failed count
| rename false AS Successful, true AS Failed

Before:

| stats count by data.userId, data.failed 
| eval data.failed = if(data.failed="false", "Successful", "Failed")
| xyseries data.userId, data.failed count

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ttriman · ‎01-06-2023

That works!! Thank you so much for the fast reply!

richgalloway · ‎01-06-2023

Yes, you can rename the fields either before or after xyseries.

After:

| stats count by data.userId, data.failed 
| xyseries data.userId, data.failed count
| rename false AS Successful, true AS Failed

Before:

| stats count by data.userId, data.failed 
| eval data.failed = if(data.failed="false", "Successful", "Failed")
| xyseries data.userId, data.failed count

---
If this reply helps you, Karma would be appreciated.

How to rename xyseries columns?

dashboard

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake