Dashboards & Visualizations

How to rename xyseries columns?

ttriman
Engager

Hello - I am trying to rename column produced using xyseries for splunk dashboard.
Can I do that or do I need to update our raw splunk log?

The log event details=

 

 

data: { [-]
     errors: [ [+]
     ]
     failed: false
     failureStage: null
     event: GeneratePDF
     jobId: 144068b1-46d8-4e6f-b3a9-ead742641ffd
     pageCount: 1
     pdfSizeInMb: 7.250756
     }
     userId: user1@user.com

 

 

 

the current splunk query I have is -

 

 

 

 | stats count by data.userId, data.failed | xyseries data.userId, data.failed count

 

 

 


Currently - my data is returning as follows

data.userId false true
User1@user.com 2  
User2@user.com 3 1
User3@user.com 2 2

 


Can I rename false = Successful and true = Failed?

 

Thank you in advance

Labels (1)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, you can rename the fields either before or after xyseries.

After:

 

| stats count by data.userId, data.failed 
| xyseries data.userId, data.failed count
| rename false AS Successful, true AS Failed

 

Before:

 

| stats count by data.userId, data.failed 
| eval data.failed = if(data.failed="false", "Successful", "Failed")
| xyseries data.userId, data.failed count

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

ttriman
Engager

That works!! Thank you so much for the fast reply!

richgalloway
SplunkTrust
SplunkTrust

Yes, you can rename the fields either before or after xyseries.

After:

 

| stats count by data.userId, data.failed 
| xyseries data.userId, data.failed count
| rename false AS Successful, true AS Failed

 

Before:

 

| stats count by data.userId, data.failed 
| eval data.failed = if(data.failed="false", "Successful", "Failed")
| xyseries data.userId, data.failed count

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...