I checked through the answers and cannot find anything that matches or will work...
I am asking how to rename a table header that is being displayed in a query/dashboard. The log file was indexed with a header name of _time. I would like to name it Date and Time.
Query is:
index="ti_is_st" sourcetype="xfer_log" | regex _raw="^.+*$" | rex field=_raw "^(\S+\s+){8}\/(([^\s\/]+\/)+)(?<fileName>.+)(\s+\S+){8}$" |rex field=File_Status "(?<File_Status>(i|j|k|o|p|q))\s"|search "$field2$" "$field3$" |table _time ip_address Service_Account fileName File_Size File_Status |replace o with "Download Successful" i with "Upload Successful" j with "Upload Errored" k with "Upload Aborted" p with "Download Errored" q with "Download Aborted" in File_Status
Thanks
`... | rename _time as "Date and Time" | ...
Thanks... Does this then change the column name in the index so then _time variable is no longer available? When I used the rename, it appears to change the format to a number as shown below.
2017-02-23 09:49:25 becomes 1487861301
Indexes never change. You have to use the rename command on every search that does not want to display "_time".
I forgot about the implicit fieldformat for _time. Try ... | rename _time as "Date and Time" | fieldformat 'Date and Time'=strftime('Date and Time', "%Y-%m-%d %H:%M:%S") | ...
For those that come to this post via searching, to get this to work, i have to do the following:
| fieldformat "Date and Time"=strftime('Date and Time', "%Y-%m-%d %H:%M:%S")
Full quotes around Date and Time after fieldformat