Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I implement multiple rename commands based on user input

actionabledata
Path Finder
‎07-24-2021 07:49 PM

I have a single algorithm with 2 methods. Each method produces the same type of data but with different fields names to keep them separated. The dashboard charts depend on which method the user selects in a menu.

Essentially I create interim results for both methods but desire to change the names to the field names used in the subsequent code.

[Q] What is a more efficient method of performing the "Big Switch" in the run anywhere code below?

 

| makeresults 5

| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "User Menu Selection"
| eval switch="A"

| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "Algorithm element2"
| eval calcMethod1_field1="1"
| eval calcMethod1_field2=2
| eval calcMethod1_field3=3
| eval calcMethod1_field4=4
| eval calcMethod1_field5=5

| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "Algorithm element2"
| eval calcMethod2_field1="1sub"
| eval calcMethod2_field2="2sub"
| eval calcMethod2_field3="3sub"
| eval calcMethod2_field4="4sub"
| eval calcMethod2_field5="5sub"

| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "                    Big Switch                                   " 
| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "This is the big switch before entering a stats command"
| rename comment AS "Intent is to rename several fields depending on switch value"
| eval fieldnameforstats_field1=case(switch=="A",calcMethod1_field1,switch=="B",calcMethod2_field1)
| eval fieldnameforstats_field2=case(switch=="A",calcMethod1_field2,switch=="B",calcMethod2_field2)
| eval fieldnameforstats_field3=case(switch=="A",calcMethod1_field3,switch=="B",calcMethod2_field3)
| eval fieldnameforstats_field4=case(switch=="A",calcMethod1_field4,switch=="B",calcMethod2_field4)
| eval fieldnameforstats_field5=case(switch=="A",calcMethod1_field5,switch=="B",calcMethod2_field5)

| fields - _time

| table fieldnameforstats_field*

 

Labels (2)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...