Solved: How to rename xyseries columns?

ttriman · ‎01-06-2023

Hello - I am trying to rename column produced using xyseries for splunk dashboard.
Can I do that or do I need to update our raw splunk log?

The log event details=

data: { [-]
     errors: [ [+]
     ]
     failed: false
     failureStage: null
     event: GeneratePDF
     jobId: 144068b1-46d8-4e6f-b3a9-ead742641ffd
     pageCount: 1
     pdfSizeInMb: 7.250756
     }
     userId: user1@user.com

the current splunk query I have is -

 | stats count by data.userId, data.failed | xyseries data.userId, data.failed count

Currently - my data is returning as follows

data.userId	false	true
User1@user.com	2
User2@user.com	3	1
User3@user.com	2	2

Can I rename false = Successful and true = Failed?

Thank you in advance

richgalloway · ‎01-06-2023

Yes, you can rename the fields either before or after xyseries.

After:

| stats count by data.userId, data.failed 
| xyseries data.userId, data.failed count
| rename false AS Successful, true AS Failed

Before:

| stats count by data.userId, data.failed 
| eval data.failed = if(data.failed="false", "Successful", "Failed")
| xyseries data.userId, data.failed count

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ttriman · ‎01-06-2023

That works!! Thank you so much for the fast reply!

richgalloway · ‎01-06-2023

Yes, you can rename the fields either before or after xyseries.

After:

| stats count by data.userId, data.failed 
| xyseries data.userId, data.failed count
| rename false AS Successful, true AS Failed

Before:

| stats count by data.userId, data.failed 
| eval data.failed = if(data.failed="false", "Successful", "Failed")
| xyseries data.userId, data.failed count

---
If this reply helps you, Karma would be appreciated.

How to rename xyseries columns?

dashboard

Exciting News: The AppDynamics Community Joins Splunk!

Buttercup Games: Further Dashboarding Techniques (Part 3)

Digital Resilience Assessment Launch | How prepared are you for disruption?