Getting Data In
Highlighted

Basic Table Header Rename

New Member

I checked through the answers and cannot find anything that matches or will work...

I am asking how to rename a table header that is being displayed in a query/dashboard. The log file was indexed with a header name of _time. I would like to name it Date and Time.

Query is:

index="tiisst" sourcetype="xferlog" | regex _raw="^.+*$" | rex field=raw "^(\S+\s+){8}\/(([^\s\/]+\/)+)(?<fileName>.+)(\s+\S+){8}$" |rex field=FileStatus "(?<FileStatus>(i|j|k|o|p|q))\s"|search "$field2$" "$field3$" |table time ipaddress ServiceAccount fileName FileSize FileStatus |replace o with "Download Successful" i with "Upload Successful" j with "Upload Errored" k with "Upload Aborted" p with "Download Errored" q with "Download Aborted" in FileStatus

Thanks

0 Karma
Highlighted

Re: Basic Table Header Rename

SplunkTrust
SplunkTrust

`... | rename _time as "Date and Time" | ...

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: Basic Table Header Rename

New Member

Thanks... Does this then change the column name in the index so then _time variable is no longer available? When I used the rename, it appears to change the format to a number as shown below.

2017-02-23 09:49:25 becomes 1487861301

0 Karma
Highlighted

Re: Basic Table Header Rename

SplunkTrust
SplunkTrust

Indexes never change. You have to use the rename command on every search that does not want to display "_time".
I forgot about the implicit fieldformat for _time. Try ... | rename _time as "Date and Time" | fieldformat 'Date and Time'=strftime('Date and Time', "%Y-%m-%d %H:%M:%S") | ...

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Basic Table Header Rename

Communicator

For those that come to this post via searching, to get this to work, i have to do the following:

| fieldformat "Date and Time"=strftime('Date and Time', "%Y-%m-%d %H:%M:%S")

Full quotes around Date and Time after fieldformat

0 Karma