Dynamically generating a Field Name for a Table

tschmoney1337 · ‎09-25-2024

Hi everyone!

I'm trying to figure out how to map a field name dynamically to a column of a table. as it stands the table looks like this:

twomonth_value	onemonth_value	current_value
5	3	1

I want the output to be instead..

july_value	august_value	september_value
5	3	1

I am able to get the correct dynamic value of each month via

| eval current_value = strftime(relative_time(now(), "@mon"), "%B")+."_value"

However, i'm unsure on how to change the field name directly in the table.

Thanks in advance!

gcusello · ‎09-25-2024

Hi @tschmoney1337 ,

please share your full search because you can modify the field name in rows but not in columns.

e.g. if you have a timestamp, you should use stats and eval, and then put in columns:

<your_search>
| bin span=1mon _time
| stats count BY _time
| eval current_value = strftime(_time, "%B")."_value"
| table current_value count
| transpose column_name=current_value header_field=current_value

I cannopt test it , but it should be correct or very near.

Ciao.

Giuseppe

Dynamically generating a Field Name for a Table

eval

table

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres

Are you a member of the Splunk Community?

Dynamically generating a Field Name for a Table

eval

table

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres