Knowledge Management

can we use rename command for eventtype

Motivator

Hi

Can we rename the eventypes .. ?? If so please send the command .

Thanx

Tags (1)
0 Karma
1 Solution

Legend

Yes? Could you please tell us more about which eventtypes you want to rename how, and we might be able to help you?

UPDATE: So, to get rid of the et_MP_ prefix, you could use rex in sed mode.

... | rex field=eventtype mode=sed "s/et_MP_//"

View solution in original post

Legend

Yes? Could you please tell us more about which eventtypes you want to rename how, and we might be able to help you?

UPDATE: So, to get rid of the et_MP_ prefix, you could use rex in sed mode.

... | rex field=eventtype mode=sed "s/et_MP_//"

View solution in original post

Legend

No problem! Could you please mark my answer as accepted? Thanks!

0 Karma

Motivator

Thanks Ayn !! It was very helpful

0 Karma

Legend

Updated my answer.

0 Karma

Motivator

yeah sure..

I have eventtypes names like this

1.et_MP_Accepted

2.et_MP_Rejected

Now i have written a query like this..

sourcetype="MPdata" | eval Field=mvfilter(eventtype like "et_MP_%") | top Field

No i am getting my results as

o/p:

1.et_MP_Accepted 30

2.et_MP_Rejected 20

I want to rename these eventtypes as et_MP_Accepted as Accepted and et_MP_Rejected as Rejected in the output...

How can i do that ?? . Please Help !!

0 Karma