Solved: How To rename the field value name from the output...

hrs2019 · ‎01-27-2020

Hi
I want to rename output field value name

Week1
1. Systems ops 12.1 to ops
2 .Systems dev 12.1 to dev

Below is the diagram for more info.

kamlesh_vaghela · ‎01-27-2020

@hrs2019
You can use replace also.

https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/SearchReference/Replace

| makeresults 
| eval Week1 ="Systems ops 12.1", "Number of tickets"=20 
| append 
    [| makeresults 
    | eval Week1 ="Systems dev 12.1", "Number of tickets"=15] 
| replace "Systems * 12.1" with "*" in Week1 | eval Week1=upper(Week1)
 | table Week1,"Number of tickets"

View solution in original post

to4kawa · ‎01-27-2020

| makeresults 
| eval Week1 ="Systems ops 12.1", "Number of tickets"=20 
| appendpipe 
    [| eval Week1 ="Systems dev 12.1", "Number of tickets"=15] 
| eval Week1=Upper(mvindex(split(Week1," "),1)) 
| table Week1,"Number of tickets"

Hi, @hrs2019
This is shortest and REGEX-free.

kamlesh_vaghela · ‎01-27-2020

@hrs2019
You can use replace also.

https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/SearchReference/Replace

| makeresults 
| eval Week1 ="Systems ops 12.1", "Number of tickets"=20 
| append 
    [| makeresults 
    | eval Week1 ="Systems dev 12.1", "Number of tickets"=15] 
| replace "Systems * 12.1" with "*" in Week1 | eval Week1=upper(Week1)
 | table Week1,"Number of tickets"

vnravikumar · ‎01-27-2020

Hi

Check this

| makeresults 
| eval Week1 ="Systems ops 12.1", "Number of tickets"=20
| append
    [| makeresults 
| eval Week1 ="Systems dev 12.1", "Number of tickets"=15] 
| eval Week1=case(Week1="Systems ops 12.1","OPS",Week1="Systems dev 12.1","Dev",1=1,Week1) 
| table Week1,"Number of tickets"

How To rename the field value name from the output.

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)