Yes? Could you please tell us more about which eventtypes you want to rename how, and we might be able to help you?
UPDATE: So, to get rid of the et_MP_
prefix, you could use rex
in sed
mode.
... | rex field=eventtype mode=sed "s/et_MP_//"
Yes? Could you please tell us more about which eventtypes you want to rename how, and we might be able to help you?
UPDATE: So, to get rid of the et_MP_
prefix, you could use rex
in sed
mode.
... | rex field=eventtype mode=sed "s/et_MP_//"
No problem! Could you please mark my answer as accepted? Thanks!
Thanks Ayn !! It was very helpful
Updated my answer.
yeah sure..
I have eventtypes names like this
1.et_MP_Accepted
2.et_MP_Rejected
Now i have written a query like this..
sourcetype="MPdata" | eval Field=mvfilter(eventtype like "et_MP_%") | top Field
No i am getting my results as
o/p:
1.et_MP_Accepted 30
2.et_MP_Rejected 20
I want to rename these eventtypes as et_MP_Accepted as Accepted and et_MP_Rejected as Rejected in the output...
How can i do that ?? . Please Help !!