Splunk Search

How to trim column in table?

naujla85
Explorer

Hello, 

 

I am running the following query. 

index=sys_tools_ecc-appd application_name=CAPRI-1130 | table * | search source=business_transactions business_transactions.metricName="*Average Response Time (ms)*" | timechart avg(business_transactions.metricValues{}.value) by business_transactions.metricPath

 

The business_transactions.metricPath names are all too long example below:

1. Business Transaction Performance|Business Transactions|APP|/dbq/ecrud|Average Response Time (ms)

2. Business Transaction Performance|Business Transactions|APP|/dbq/BTSXDRRequest_PortTypeWS|Average Response Time (ms)

 

Need to trim them from both side. I need to remove  "Business Transaction Performance|Business Transactions" from the front and "|Average Response Time (ms)" from the back before displaying them on column. 

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Use an AS clause in the timechart command to specify a shorter name for the average value field.

 

| timechart avg(business_transactions.metricValues{}.value) as avgMetricValue by business_transactions.metricPath

 

Or use rename

| rename "Business Transaction Performance|Business Transactions|*|Average Response Time (ms)" as *

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use an AS clause in the timechart command to specify a shorter name for the average value field.

 

| timechart avg(business_transactions.metricValues{}.value) as avgMetricValue by business_transactions.metricPath

 

Or use rename

| rename "Business Transaction Performance|Business Transactions|*|Average Response Time (ms)" as *

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

naujla85
Explorer

second solution worked for me thank you!!!!!

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this before the timechart command

| eval business_transactions.metricPath=replace(business_transactions.metricPath,"Business Transaction Performance\|Business Transactions\"","")
| eval business_transactions.metricPath=replace(business_transactions.metricPath,"\|Average Response Time (ms)","")
0 Karma

naujla85
Explorer

its showing me null value. 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...