Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dynamically generating a Field Name for a Table

tschmoney1337
New Member
‎09-25-2024 08:24 AM

Hi everyone!

I'm trying to figure out how to map a field name dynamically to a column of a table. as it stands the table looks like this:

twomonth_valueonemonth_valuecurrent_value
531

 

I want the output to be instead..

july_valueaugust_valueseptember_value
531

 

I am able to get the correct dynamic value of each month via

| eval current_value = strftime(relative_time(now(), "@mon"), "%B")+."_value"

However, i'm unsure on how to change the field name directly in the table.

Thanks in advance!

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 08:45 AM

Hi @tschmoney1337 ,

please share your full search because you can modify the field name in rows but not in columns.

e.g. if you have a timestamp, you should use stats and eval, and then put in columns:

<your_search>
| bin span=1mon _time
| stats count BY _time
| eval current_value = strftime(_time, "%B")."_value"
| table current_value count
| transpose column_name=current_value header_field=current_value

I cannopt test it , but it should be correct or very near.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...