Splunk Search

Dynamic renaming of column header in a table

Explorer

How do I get timeColumnName to read as "July"? It needs to be dynamic. Keying off of the eval or something similar.

index="main" |eval timeColumnName=strftime(_time, "%b %d")|stats sparkline AS timeColumnName count by userName

The solution should easily work with

index="main" |eval timeColumnName=strftime(_time, "%b %d")|stats sparkline AS timeColumnName count by userName

Explicitly renaming |rename timeColumnName AS July is not what I'm looking for. I don't want to update the code in August.

For the first example, output should look like:





userNameJulyCount
userAprettyGraphic, use your imagination54
userBprettyGraphic23

and example 2 should have the date for an individual day





userNameJuly 12Count
userAprettyGraphic, use your imagination54
userBprettyGraphic23

sadly the output currently looks like





userNametimeColumnNameCount
userAprettyGraphic, use your imagination54
userBprettyGraphic23
Thanks in advance for any ideas.

Ultra Champion

Hello,
You could have a look at the following search (unless you've already solved the problem yourself). It makes use of the field date_month which is calculated for all events (apart from any windows event logs), along with date_hour, date_minute, date_wday, etc etc.

your_search_here | chart sparkline count AS usage_count over userid by date_month

userid     sparkline:september     usage_count:september
adam       graphics here           43
bill       graphics here           92
cecilia    graphics here           238

As you will see, it does not edit the actual column header, but rather uses the date_month as its header, of sorts. However, it will only look as intended if you limit the search so that only events from a single month are returned. The search will work for other time-ranges as well, but the output will not be what you desire.

Hope this helps,

Kristian