Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I rename fields in my Splunk search res...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I rename fields in my Splunk search result set?
pawnalmighty
Engager
10-18-2015
11:40 PM
index=xxx earliest=-7d@d latest=@d
( sourcetype="FirstSourceType" ResponsePayLoad="*xxx*" ActivityStep="rs" (ResponseStatus!=500 OR ResponseStatus!=400) )
OR
( sourcetype="SecondSourceType" OperationName=CSRequestProcessor.post ActivityStep="rs" ResponseStatus=0)
| eval txn_id=if(transaction_id LIKE "[%]", substr(transaction_id, 2, 36) , transaction_id) | chart sum(Duration) over txn_id by sourcetype
What I get is a table with three columns :
txn_id ..... FirstSourceType .... SecondSourceType
Is it possible to rename FirstSourceType & SecondSourceType to "Total Time Taken" & "Total time taken by zzz" respectively?
I tried rename command but couldn't get it to work:
index=xxx earliest=-7d@d latest=@d
( sourcetype="FirstSourceType" ResponsePayLoad="*xxx*" ActivityStep="rs" (ResponseStatus!=500 OR ResponseStatus!=400) ) | rename sourcetype to "Total Time Taken"
OR
( sourcetype="SecondSourceType" OperationName=CSRequestProcessor.post ActivityStep="rs" ResponseStatus=0) | rename sourcetype to ""Total time taken by zzz"
| eval txn_id=if(transaction_id LIKE "[%]", substr(transaction_id, 2, 36) , transaction_id) | chart sum(Duration) over txn_id by sourcetype
But I got the error:
Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fdi01
Motivator
01-27-2016
05:13 AM
try like :
... | rename FirstSourceType as "Total Time Taken" , SecondSourceType as "Total time taken by zzz" |...
you can try like this in your case :
index=xxx earliest=-7d@d latest=@d
( sourcetype="FirstSourceType" ResponsePayLoad="*xxx*" ActivityStep="rs" (ResponseStatus!=500 OR ResponseStatus!=400) )
OR
( sourcetype="SecondSourceType" OperationName=CSRequestProcessor.post ActivityStep="rs" ResponseStatus=0)
| eval txn_id=if(transaction_id LIKE "[%]", substr(transaction_id, 2, 36) , transaction_id) | chart sum(Duration) over txn_id by sourcetype |replace FirstSourceType with "Total Time Taken" in sourcetype |replace SecondSourceType with "Total time taken by zzz" in sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asimagu
Builder
10-19-2015
02:35 AM
you can try eval
eval "Total Time Taken"=sourcetype
and then you will need to get rid of the unwanted fields | fields - sourcetype
Get Updates on the Splunk Community!
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
Splunk Decoded: Business Transactions vs Business IQ
It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...
Fastest way to demo Observability
I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...
