Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the results without any other field names appended

akarivaratharaj
Communicator
‎09-21-2017 05:46 AM

I am trying to execute the below query in Splunk Enterprise.

index=x sourcetype=y|join TABLE_NAME [|inputlookup Domain_Module_List.csv |search (Domain ="Inventory")] |eval DATA_MB =round(DATA_KB/1024,2) |eval INDEX_MB = round(INDEX_SIZE_KB/1024,2) |timechart span=1mon limit=25 sum(DATA_MB) as datamb,sum(INDEX_MB) as indexmb by Domain|foreach indexmb* datamb* [eval size<>='datamd<>'+'indexmd<>']|fields - datamd* indexmd*

Below is the result which I am getting:

_time size: Inventory size: Platform size:Financial
2017-08 1546672397.67 22240.14 745
2017-09 991610023.13 4040.69 603

Time and Domain name are the two fields which I am trying to fetch. Ideally the Domain name display should be Inventory, Platform, Financial but it is showing as size: Inventory size: Platform and size:Financial.

Could anyone please help me to get rid of "size:" from the above results.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎09-21-2017 05:54 AM

there are two ways around removing size: from the results.

first way would be: |rename "size: *" with *

the second way would be: |foreach "size: *" [eval <<MATCHSTR>> = '<<FIELD>>']

the first way is likely more efficient, however, if there was any evaluating you'd want to do on the fields, foreach is a great way to do that to all of them at the same time.
http://docs.splunk.com/Documentation/Splunk/6.6.3/SearchReference/Foreach

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎09-21-2017 05:54 AM

there are two ways around removing size: from the results.

first way would be: |rename "size: *" with *

the second way would be: |foreach "size: *" [eval <<MATCHSTR>> = '<<FIELD>>']

the first way is likely more efficient, however, if there was any evaluating you'd want to do on the fields, foreach is a great way to do that to all of them at the same time.
http://docs.splunk.com/Documentation/Splunk/6.6.3/SearchReference/Foreach

0 Karma
Reply
Solved! Jump to solution

akarivaratharaj
Communicator
‎09-21-2017 11:04 AM

Hi cmerriman,

The first query of renaming has worked. Thanks for the help

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...