Solved: Re: Change host name at search time

hartfoml · ‎11-15-2012

I have a search like this

sourcetype=foo | stats count by host

I have 8 hosts that report to this search and all of them have standard names but one does not.

I get this type of results:

host     count
sys1     20
sys2     25
srv1     40

I want to change the results so that srv1 shows up in the results as sys3.

as always thanks for your help....:-)

Ayn · ‎11-15-2012

Just rewrite the host value in your search before the stats command.

sourcetype=foo | eval host=if(host=="srv1","sys3",host) | stats count by host

Ayn · ‎11-15-2012

Just rewrite the host value in your search before the stats command.

sourcetype=foo | eval host=if(host=="srv1","sys3",host) | stats count by host

hartfoml · ‎11-15-2012

thanks much

Change host name at search time