Dashboards & Visualizations

Is it possible to change a column name based on search results?

kaphie2002
New Member

I have a query that returns the number of accounts processed by hostnames, I will like to further breakdown the output to show the total number of messages sent for each account which is a sum of the number of records per accountID.

Is it possible to create a table with the column as each hostname and rows of the total number of processed activity by account? For Example:

                          Host1    host 2.   host 3

AccountID1 6 34 54
AccountID2 100 56 230
AccountID3 20 250 550

This is my current search:

host="host*" Mail sent successfully | rex field=_raw ".renderTime.*connect.*send.*ms.(?.\w+)." | fields + host + AccountID | stats count by host

output:

    host    count
  1. host1 296105 2 host2 547796 3 host3 24976 4 host4 54575

I also tried the query below but it only shows the total number of activity on all the hosts:

host="host*" Mail sent successfully | rex field=_raw ".renderTime.*connect.*send.*ms.(?.\w+)." | fields + host + AccountID | table AccountID, host | stats values(host) as Host count(AccountID) as "Total Messages Rendered" by AccountID | sort "Total Messages Rendered" desc

AccountID Host. Total Messages Rendered
45633. host1 826169
host2

12354. host2 305354
host3

0 Karma

elliotproebstel
Champion

I'm having a little trouble parsing things the way they're getting displayed above, but does this get you to what you're trying to reach:

host="host*" Mail sent successfully 
| rex field=_raw ".*renderTime.*connect.*send.ms.(?.\w+)." 
| fields + host + AccountID 
| stats count by host, AccountID
| xyseries AccountID host count
0 Karma

kaphie2002
New Member

This works perfectly, Thank you!

I added a field for the total number of requests sent by each host using "addtotal" . The issue is the total is the last column in the table but I want it to be the second column. I have tried using fields and table to rearrange the columns but does not seem to display the correct count.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...