Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

How to edit my search to change the output of certain strings in results?

SecureIA
Path Finder
‎02-29-2016 05:58 AM

Hi Helpful People,

I have a table which tells me perfectly well who is logged in to systems. My results show the words "Opened" and "Closed". I wish for them to say "In" or "Out" instead. Is there anyway that I can achieve this so that my results are more readable. My search is as follows:

host=?? NOT host=?? NOT host=?? NOT username=?? NOT username= ?? NOT username= ?? NOT username=?? "Session opened" OR "Session closed" | sort username time | chart latest(lstate) over username by host.
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: How to edit my search to change the output of certain strings in results?

somesoni2
SplunkTrust
SplunkTrust
‎02-29-2016 06:13 AM

You can use replace command for that. http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Replace

host=?? NOT host=?? NOT host=?? NOT username=?? NOT username= ?? NOT username= ?? NOT username=?? "Session opened" OR "Session closed" | sort username time | chart latest(lstate) over username by host | replace "Opened" with "In" "Closed" with "Out" in *

View solution in original post

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: How to edit my search to change the output of certain strings in results?

SecureIA
Path Finder
‎03-01-2016 02:20 AM

Thank you so much!! I remember doing this a while back but had totally forgotten. Thanks for reminding me

0 Karma
Reply