Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rename a column name to yesterday's date in 'dd-mon-yy' format

kabiraj
Path Finder
‎06-10-2015 05:20 AM

Hi All,

I want to rename a column name to yesterday's date written in 'dd-mon-yy' format.

Search: 

sourcetype=shmapplogs "getMS3SAS ended for - deviceId" | top limit=0 showperc=0 channelId | lookup youview_channels.csv service_id_truncated AS channelId OUTPUT channel_name_letter | streamstats count AS position | fields channel_name_letter position | rename channel_name_letter as Channel position as "Popularity Index"

Result :

Channel           Popularity Index
BT Sport 1             1
BT Sport 2             2
Comedy Central         3
GOLD                     4

I want to rename the "Popularity Index" to yesterday's date which should be dynamic i.e for today it should be "09-Jun-15".
Results for today should look like :

Channel            09-Jun-15
BT Sport 1          1
BT Sport 2          2
Comedy Central      3
GOLD                  4

Is it possible? Please reply.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-10-2015 06:22 AM

You cannot do it with rename but you can clone the old field with an eval trick and then throw away the old field like this:

 ... | eval NewName = now() - (60*60*24) | eval NewName = strftime(NewName , "%ddm%Y") | eval {NewName} = "Popularity Index" | fields - "Popularity Index"

http://answers.splunk.com/answers/186312/method-to-rename-field-to-value-of-another-field.html

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-10-2015 06:22 AM

You cannot do it with rename but you can clone the old field with an eval trick and then throw away the old field like this:

 ... | eval NewName = now() - (60*60*24) | eval NewName = strftime(NewName , "%ddm%Y") | eval {NewName} = "Popularity Index" | fields - "Popularity Index"

http://answers.splunk.com/answers/186312/method-to-rename-field-to-value-of-another-field.html

Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-11-2015 11:03 PM

Thanks woodcock! The method in the link works perfectly!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...