Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Making a chart and I want to change columns header names from Windows eventlog EventCodes to something readable

kpers
Path Finder
‎05-21-2015 03:02 PM

I am making a basic chart from windows event logs and the chart looks like this:

SourceName="Microsoft-Windows-IIS-IISReset" | chart count by host EventCode

I only get two event codes back and they are 3201 and 3202, basically telling me IIS either started or stopped. What would I put in the search to do something like:

| RENAME (EventCode=3201,"Start") RENAME (EventCode=3202,"Stop")

I know this is a simple one, but I can't seem to find an example that fits what I am looking for. It may be because I am new to Splunk and just too and to dumb to understand unless it is in baby talk LOL.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎05-21-2015 03:54 PM

Here you go:

SourceName="Microsoft-Windows-IIS-IISReset" | chart count by host EventCode|replace 3201 with Start in EventCode|replace 3202 with Stop in EventCode

Thanks

SGF

View solution in original post

Reply
Solved! Jump to solution

chimell
Motivator
‎05-21-2015 04:42 PM

Hi kpers
This search code can also work

SourceName="Microsoft-Windows-IIS-IISReset"|eval IIS=if(EventCode==3201 , "Start" , "Stop")|rename IIS as EventCode  | chart count by host EventCode
Reply
Solved! Jump to solution

kpers
Path Finder
‎05-21-2015 06:11 PM

This alternate option also worked! I just had to know how it worked and reverse engineer it and now I know more about how the eval/if command I kept seeing pop up in other posts. I like the simplicity of the replace command so I will stick with it in this basic search but the gears in my head are grinding on how I would use the eval/if combination in other situations.

Thank you so much for posing an alternate option that tough me a another Spluk trick!

Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎05-21-2015 03:54 PM

Here you go:

SourceName="Microsoft-Windows-IIS-IISReset" | chart count by host EventCode|replace 3201 with Start in EventCode|replace 3202 with Stop in EventCode

Thanks

SGF
Reply
Solved! Jump to solution

kpers
Path Finder
‎05-21-2015 04:32 PM

Thanks! that got me on the right track, it didn't work with the replaces after the chart but when I put them in front of the pipe chart it worked!

SourceName="Microsoft-Windows-IIS-IISReset" | replace 3201 with Start in EventCode| replace 3202 with Stop in EventCode | chart count by host EventCode

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...