Rename field names to result of an eval

anthonyfry · ‎06-19-2020

I have a simple flat data table in splunk enterprise 8.02 that has values in a field called UK_0 for current month quantities and UK_1 for the previous month up to UK_6 for six months ago. I am trying to replace these field names with the actual month names using an eval on now() to get month names

| eval thismonth=strftime(now(),"%B"), lastmonth = strftime(relative_time(now(),"-1mon"),"%B")
|stats  Values("Service provider") as "Service Provider" values(part_id) as "Part Number"  values(UK_1) as lastmonth values(UK_0) as thismonth  by "Part Info"

the above simply replaces the UK_0 with the heading "thismonth" rather than June. how do i get it to say May and June rather than UK_1 & UK_0 ?

to4kawa · ‎06-19-2020

sample:

| makeresults 
| fillnull UK_0 UK_1 UK_6 
| foreach UK_* [ eval month_<<MATCHSTR>>=strftime(relative_time(now(),-1*tonumber(<<MATCHSTR>>)."month@month"),"%B")
| eval {month_<<MATCHSTR>>}=<<FIELD>>]
| fields - *_*

After calculating, convert it like this

Rename field names to result of an eval

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Rename field names to result of an eval

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console