Splunk Search

How can I change the header so it displays the current date?

Motivator

Hi,

I have a table output like below,

**OS**       Range1       Range2       Range3     Range4
AIX          10           20           30         40
HP-UX        50           60           70         80
Linux        90           100          110        120

But I want a table like below,

**2017-08-10** Range1       Range2       Range3   Range4
AIX            10           20           30       40
HP-UX          50           60           70       80
Linux          90           100          110      120

Date should be change daily.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

your current search giving fields OS Range 1... (gives output 1)
| eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - OS today

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this

your current search giving fields OS Range 1... (gives output 1)
| eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - OS today

View solution in original post

0 Karma

Motivator

Nope it is not working. i need header label instead of os i need current date value.

0 Karma

SplunkTrust
SplunkTrust

Can you provide what you get with my answer and what you expect?

Runanywhere sample.

| gentimes start=-1 | eval OS="AIX" | table OS | eval Range1=30 | eval Range2=50

Output

OS    Range1   Range2
AIX  30  50

With my answer

| gentimes start=-1 | eval OS="AIX" | table OS | eval Range1=30 | eval Range2=50  | eval today=strftime(now(),"%Y-%m-%d") 
| eval {today}=OS | fields - today OS

Output

2017-08-10   Range1   Range2
AIX  30  50  
0 Karma

Motivator

Query:

| inputlookup SystemsUpTimeRange.csv WHERE (range="91-180 days") AND os=AIX AND os!=NA
| stats sum(count) as tcount by time os range
| sort - _time
| head 8
| rename tcount as 91
180days
| fields - range
| delta 91
180days as 91180daysc p=7
| tail 1 | ..... more query ............ | eval today=strftime(now(),"%Y-%m-%d")
| eval {today}=os | fields - os today | table 91180days 91180daysc 180plusdays 180plusdaysc

Ouput:

91180days 91180daysc 180plusdays 180plusdaysc
25 7 77 -6
6 0
456 -20 142 -9

0 Karma

SplunkTrust
SplunkTrust

Your last table command is removing the field with today's date. Replace your last table command with this

| table * 91_180_days 91_180_days_c 180_plus_days 180_plus_days_c

OR

| table 2* 91_180_days 91_180_days_c 180_plus_days 180_plus_days_c
0 Karma