Splunk Search

How can I change the header so it displays the current date?

sbbadri
Motivator

Hi,

I have a table output like below,

**OS**       Range1       Range2       Range3     Range4
AIX          10           20           30         40
HP-UX        50           60           70         80
Linux        90           100          110        120

But I want a table like below,

**2017-08-10** Range1       Range2       Range3   Range4
AIX            10           20           30       40
HP-UX          50           60           70       80
Linux          90           100          110      120

Date should be change daily.

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

your current search giving fields OS Range 1... (gives output 1)
| eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - OS today

View solution in original post

0 Karma

somesoni2
Revered Legend

Try this

your current search giving fields OS Range 1... (gives output 1)
| eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - OS today
0 Karma

sbbadri
Motivator

Nope it is not working. i need header label instead of os i need current date value.

0 Karma

somesoni2
Revered Legend

Can you provide what you get with my answer and what you expect?

Runanywhere sample.

| gentimes start=-1 | eval OS="AIX" | table OS | eval Range1=30 | eval Range2=50

Output

OS    Range1   Range2
AIX  30  50

With my answer

| gentimes start=-1 | eval OS="AIX" | table OS | eval Range1=30 | eval Range2=50  | eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - today OS

Output

2017-08-10   Range1   Range2
AIX  30  50  
0 Karma

sbbadri
Motivator

Query:

| inputlookup SystemsUpTimeRange.csv WHERE (range="91-180 days") AND os=AIX AND os!=NA
| stats sum(count) as tcount by _time os range
| sort - _time
| head 8
| rename tcount as 91_180_days
| fields - range
| delta 91_180_days as 91_180_days_c p=7
| tail 1 | ..... more query ............ | eval today=strftime(now(),"%Y-%m-%d")
| eval {today}=os | fields - os today | table 91_180_days 91_180_days_c 180_plus_days 180_plus_days_c

Ouput:

91_180_days 91_180_days_c 180_plus_days 180_plus_days_c
25 7 77 -6
6 0
456 -20 142 -9

0 Karma

somesoni2
Revered Legend

Your last table command is removing the field with today's date. Replace your last table command with this

| table * 91_180_days 91_180_days_c 180_plus_days 180_plus_days_c

OR

| table 2* 91_180_days 91_180_days_c 180_plus_days 180_plus_days_c
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...