Re: How should I rename a dynamic value after usin...

vaibhavvijay9 · ‎12-03-2018

Hi All,

I am using this search string as below :
(some data- index, host, etc)............. | xmlkv | search "ns0:ApplicationFunction"=NotifyBusinessPartnerUpdate_Update_1 | timechart count by ns0:Code | rename LifeRetailCBCustomerSolife-Update-007 as "ABC"

Output:

BUT instead of hardcoded LifeRetailCBCustomerSolife-Update-007 I want it to be dynamic as ns0:Code , see below :
(some data- index, host, etc)............. | xmlkv | search "ns0:ApplicationFunction"=NotifyBusinessPartnerUpdate_Update_1 | timechart count by ns0:Code | rename ns0:Code as "ABC"

Output :

So please help me to get the output same as first but using the second way of search string.

Thanks in advance.

*Please don't go with the attached images filenames.

petom · ‎12-06-2018

Use values mapping. E.g. :

<index and filter> | xmlkv | search "ns0:ApplicationFunction"=NotifyBusinessPartnerUpdate_Update_1
| eval dynvalue=case(ns0:Code="value1","label1", ns0:Code="value2","label2", ....)
| timechart count by dynvalue

sergeye · ‎12-03-2018

Hi If ns0:Code has only 1 value you can make the renaming before the timechart command
so it should be:

(some data- index, host, etc)............. 
| xmlkv 
| search "ns0:ApplicationFunction"=NotifyBusinessPartnerUpdate_Update_1 
| replace "*" in ns0:Code with "ABC"
| timechart count by ns0:Code

vaibhavvijay9 · ‎12-06-2018

Hi, ns0:Code has more than one value.
And want help on one more thing, that I want to rename it with a dynamic value and not with "ABC". So is there any concept of variables??

Thanks in advance.

How should I rename a dynamic value after using the timechart count by?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann