Solved: replace field name with variable month value

antonio147 · ‎05-14-2021

Hi,
I did a search to change the name of the field with the value of another field (| eval {entity} = "bar") but it is not good for my search, it also displays the events only with | makeresults which is not good for me .
I would like to rename the camp based on the month we are in.
this is my query:

index=ala * sourcetype=segn
|fields - _*
|search NOT STATO_WFS_LA IN("6261","11084")
|eval CST=strptime(CAMBIO_STATO, "%Y-%m-%d")
|eval IMA=relative_time(now(), "-0mon@mon")
|eval FMP=relative_time(IMA, "-1d@d"), NFMP=strftime(FMP,"%B")
|eval DAMA = if(CST>=IMA,1,0)
|stats sum(DAMA) as CURRENT_MONTH by STATO_SEGN
|transpose 13 column_name=STATO_SEGN header_field=STATO_SEGN

I would like CURRENT_MONTH to become May or June based on the NFMP variable.
It's possible?
I am looking and trying various solutions, to no avail 😞
Tks

Regards

Antonio

ITWhisperer · ‎05-14-2021

Just repeat the calculation

| gentimes start=-90
| rename starttime as _time 
| fields _time
| streamstats count as row
| eval STATO_SEGN=mvindex(split("ABCDE",""),row%5)
| eval CST=_time
| eval IMA=relative_time(now(),"-0mon@mon")
| eval FMP=relative_time(IMA,"-1d@d"), NFMP=strftime(FMP,"%B")
| eval DAMA=if(CST>=IMA,1,0)
| stats sum(DAMA) as CURRENT_MONTH by STATO_SEGN
| transpose 13 column_name=STATO_SEGN header_field=STATO_SEGN
| eval STATO_SEGN=strftime(relative_time(now(),"-0mon@mon-1d"),"%B")

View solution in original post

ITWhisperer · ‎05-14-2021

Just repeat the calculation

| gentimes start=-90
| rename starttime as _time 
| fields _time
| streamstats count as row
| eval STATO_SEGN=mvindex(split("ABCDE",""),row%5)
| eval CST=_time
| eval IMA=relative_time(now(),"-0mon@mon")
| eval FMP=relative_time(IMA,"-1d@d"), NFMP=strftime(FMP,"%B")
| eval DAMA=if(CST>=IMA,1,0)
| stats sum(DAMA) as CURRENT_MONTH by STATO_SEGN
| transpose 13 column_name=STATO_SEGN header_field=STATO_SEGN
| eval STATO_SEGN=strftime(relative_time(now(),"-0mon@mon-1d"),"%B")

antonio147 · ‎05-14-2021

Hello IT Whispeper,
Thank you for your suggestion,
but if instead of just the previous month I also have other lines of the past months like 2 months ago, 3 months ago, 4 months ago?
How can I do?

for example
STATUS_SIGN A B C
April 1 2 3
March 6 6 6
February 5 5 4
.
.

ITWhisperer · ‎05-14-2021

| gentimes start=-90
| rename starttime as _time 
| fields _time
| streamstats count as row
| eval STATO_SEGN=mvindex(split("ABCDE",""),row%5)
| eval CST=_time
| bin span=1mon CST
| chart count by CST STATO_SEGN
| eval STATO_SEGN=strftime(CST,"%B")
| fields - CST
| table STATO_SEGN *

antonio147 · ‎05-14-2021

I had also thought about using CST.
As you suggested, the SIGN_STATE field is empty

antonio147 · ‎05-14-2021

I believe that after the stats command the CST variable no longer exists

antonio147 · ‎05-14-2021

I think I have solved,
I insert a case

| eval SIGN_STATE = case (
SIGN_STATE = "N_1", strftime (relative_time (now (), "- 0mon @ mon-1d"), "% B"),
SIGN_STATE = "N_2", strftime (relative_time (now (), "- 2mon @ mon-1d"), "% B"))

Tks

replace field name with variable month value

table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms