Splunk Search

How can I change the header so it displays the current date?

sbbadri
Motivator

Hi,

I have a table output like below,

**OS**       Range1       Range2       Range3     Range4
AIX          10           20           30         40
HP-UX        50           60           70         80
Linux        90           100          110        120

But I want a table like below,

**2017-08-10** Range1       Range2       Range3   Range4
AIX            10           20           30       40
HP-UX          50           60           70       80
Linux          90           100          110      120

Date should be change daily.

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

your current search giving fields OS Range 1... (gives output 1)
| eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - OS today

View solution in original post

0 Karma

somesoni2
Revered Legend

Try this

your current search giving fields OS Range 1... (gives output 1)
| eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - OS today
0 Karma

sbbadri
Motivator

Nope it is not working. i need header label instead of os i need current date value.

0 Karma

somesoni2
Revered Legend

Can you provide what you get with my answer and what you expect?

Runanywhere sample.

| gentimes start=-1 | eval OS="AIX" | table OS | eval Range1=30 | eval Range2=50

Output

OS    Range1   Range2
AIX  30  50

With my answer

| gentimes start=-1 | eval OS="AIX" | table OS | eval Range1=30 | eval Range2=50  | eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - today OS

Output

2017-08-10   Range1   Range2
AIX  30  50  
0 Karma

sbbadri
Motivator

Query:

| inputlookup SystemsUpTimeRange.csv WHERE (range="91-180 days") AND os=AIX AND os!=NA
| stats sum(count) as tcount by _time os range
| sort - _time
| head 8
| rename tcount as 91_180_days
| fields - range
| delta 91_180_days as 91_180_days_c p=7
| tail 1 | ..... more query ............ | eval today=strftime(now(),"%Y-%m-%d")
| eval {today}=os | fields - os today | table 91_180_days 91_180_days_c 180_plus_days 180_plus_days_c

Ouput:

91_180_days 91_180_days_c 180_plus_days 180_plus_days_c
25 7 77 -6
6 0
456 -20 142 -9

0 Karma

somesoni2
Revered Legend

Your last table command is removing the field with today's date. Replace your last table command with this

| table * 91_180_days 91_180_days_c 180_plus_days 180_plus_days_c

OR

| table 2* 91_180_days 91_180_days_c 180_plus_days 180_plus_days_c
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...