Dashboards & Visualizations
Highlighted

how do I change a legend label for a graph?

New Member

sourcetype="pan:threat" earliest=-1d | timechart span=5m count by threat_name limit=8

I am doing a search like the one above, and one of the legend labels for the threat_name only comes up with the ID number not the actual name, ie. URL filtering for 9999 in the legend. The other labels come up correctly. I am trying to find where I can change the 9999 to a URL filtering (9999) or something like that? Is this a case that I would use an eval/case statement. I have tried and was unsuccessful in forming a correct one to get what I was hoping for. Thank you in advance.

-Sam

0 Karma
Highlighted

Re: how do I change a legend label for a graph?

Splunk Employee
Splunk Employee

I've answered something similar here https://answers.splunk.com/answers/687775/how-do-i-make-a-search-string-to-get-real-time-dat.html

The solution there was to pipe the result into the rename command

View solution in original post

0 Karma
Highlighted

Re: how do I change a legend label for a graph?

New Member

sourcetype="pan:threat" earliest=-1d | timechart span=5m count by threat_name limit=8 | rename "(9999)" as "URL Filtering(9999)"

rename "(9999)" as "URL Filtering(9999)" is what I was missing. Thanks for the answer.

0 Karma