Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I implement multiple rename commands based ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I implement multiple rename commands based on user input
actionabledata
Path Finder
07-24-2021
07:49 PM
I have a single algorithm with 2 methods. Each method produces the same type of data but with different fields names to keep them separated. The dashboard charts depend on which method the user selects in a menu.
Essentially I create interim results for both methods but desire to change the names to the field names used in the subsequent code.
[Q] What is a more efficient method of performing the "Big Switch" in the run anywhere code below?
| makeresults 5
| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "User Menu Selection"
| eval switch="A"
| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "Algorithm element2"
| eval calcMethod1_field1="1"
| eval calcMethod1_field2=2
| eval calcMethod1_field3=3
| eval calcMethod1_field4=4
| eval calcMethod1_field5=5
| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "Algorithm element2"
| eval calcMethod2_field1="1sub"
| eval calcMethod2_field2="2sub"
| eval calcMethod2_field3="3sub"
| eval calcMethod2_field4="4sub"
| eval calcMethod2_field5="5sub"
| rename comment AS "-----------------------------------------------------------------"
| rename comment AS " Big Switch "
| rename comment AS "-----------------------------------------------------------------"
| rename comment AS "This is the big switch before entering a stats command"
| rename comment AS "Intent is to rename several fields depending on switch value"
| eval fieldnameforstats_field1=case(switch=="A",calcMethod1_field1,switch=="B",calcMethod2_field1)
| eval fieldnameforstats_field2=case(switch=="A",calcMethod1_field2,switch=="B",calcMethod2_field2)
| eval fieldnameforstats_field3=case(switch=="A",calcMethod1_field3,switch=="B",calcMethod2_field3)
| eval fieldnameforstats_field4=case(switch=="A",calcMethod1_field4,switch=="B",calcMethod2_field4)
| eval fieldnameforstats_field5=case(switch=="A",calcMethod1_field5,switch=="B",calcMethod2_field5)
| fields - _time
| table fieldnameforstats_field*
Get Updates on the Splunk Community!
See Splunk Platform & Observability Innovations at Cisco Live EMEA
Hi Splunkers,
Learn about what’s next for Splunk Platform at Cisco Live EMEA.
Data silos are a big challenge ...
The OpenTelemetry Certified Associate (OTCA) Exam
What’s this OTCA exam?
The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...
From Manual to Agentic: Level Up Your SOC at Cisco Live
Welcome to the Era of the Agentic SOC
Are you tired of being a manual alert responder? The security ...
