Splunk Search

Rename values extracted into field

gnovak
Builder

Can you rename values extracted into fields?

Example - Here is a field i have called "filename" and some examples of values that were extracted.

filename=statement.pdf
filename=invoice.pdf
filename=invoice.html

Can I rename (or trick) these values from the field filename to show up in a chart or table as:

statement.pdf ====> Billing Statement
invoice.pdf ===> Billing Invoice
invoice.html ===> Drilldown Invoice

I was looking at eval but so far haven't figured anything out yet.

Tags (2)
1 Solution

splunk_gs
Explorer

use eval
for example...

search whatever | eval Actual = case(filename = "statement.pdf","Billing Statement",filename = " invoice.pdf","Billing Invoice", filename = "invoice.html","Drilldown Invoice")

View solution in original post

ackoch
Explorer

Hrmm... I don't understand.

On my summary page, I have a source listed as "WinEventLog:ForwardedEvents" that I'd like to rename to "DC Security Logs"

Anyone able to help?

0 Karma

Michael
Contributor

Ya, I didn't get that either... I ended up simply using REX:

rex field=mount mode=sed "s/space/Splunk DB location/g"

This takes the value "space" in the mount field (this is a df output) and replaces the word "space" with "Splunk DB location".

splunk_gs
Explorer

use eval
for example...

search whatever | eval Actual = case(filename = "statement.pdf","Billing Statement",filename = " invoice.pdf","Billing Invoice", filename = "invoice.html","Drilldown Invoice")

gnovak
Builder

and for some reason Comments like to remove my *'s from my searches. Will post what i mean as an answer...

0 Karma

Michael
Contributor

Maybe I miss-understood the question, but this didn't work for me; but the "replace" command worked great. Reference here:

http://answers.splunk.com/answers/7077/how-can-i-rename-the-host-names-for-my-chart.html

0 Karma

gnovak
Builder

For some reason Scorecard won't show up w/ this search. sourcetype="EPPWEB" source="/opt/log//web_server/info.log" WAT | rex field=_raw "USER (?P[\d+-\w\w]) downloading ./(?.+?)$" | search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=-.pdf NOT filename=-_.pdf | stats count by registrar, filename | eval Actual=case(filename="Statement.pdf","Billing Statement",filename="Invoice.pdf","Billing Invoice",filename="text.txt","Billing Text",filename="-*.pdf","Scorecard")

0 Karma

gnovak
Builder

filename="-.pdf","Scorecard" is what I have at the end. I'm wondering if it's because of how it's defined earlier in the search with the NOT command?

0 Karma

splunk_gs
Explorer

haha yup eval can be used with just about anything...you can dig deeper by surrounding the eval with a coalesce for unknown values like coalesce(case(...),"unknown") and that will replace unknown definitions as "unknown"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...