Reporting

Showing index name as an alias in report

runiyal
Path Finder

I am trying to get count of rows in each index. Here is the search creteria -

(index=abc <search creteria 1>) OR (index=xyz <search creteria 2>) | stats count by index

Result is like -

Index    Count
abc 100
xyz 98

But I need to have different name in the report for the indexes. I would like to have report like -

Index    Count
Index1  100
Index2  98

How can we achieve this? How to change name of the index?

Tags (3)
0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust
(index=abc <search creteria 1>) OR (index=xyz <search creteria 2>)
| stats count by index
| eval index=case('index'=="abc","Index1",'index'=="xyz","Index2",etc)
@marycordova

View solution in original post

0 Karma

runiyal
Path Finder

Thanks Mary!

marycordova
SplunkTrust
SplunkTrust
(index=abc <search creteria 1>) OR (index=xyz <search creteria 2>)
| stats count by index
| eval index=case('index'=="abc","Index1",'index'=="xyz","Index2",etc)
@marycordova
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...