I'm trying to rename two fields gathered from a search and having a problem.
In the example below, I have a search that pulls two different data sets. In the example,
packet_type 123 are total packets and packet_type 456 are discarded packets. What I
want to do is rename these so I can run stats and eval on their outputs.
index=generic router=ABC interface=FastEthernet packet_type="123" OR packet_type="456"
Ideally I'm trying to get something like this:
index=generic router=ABC interface=FastEthernet packet_type="123" OR packet_type="456"
| bucket _time span=5m
| rename packet_type="123" AS total_packets
| rename packet_type="456" AS discards
| eval packet_loss=discards/total_packets
| table router interface total_packets discards packet_loss
Here is a sample output of the search.
ABC|FastEthernet|123|2013-11-15 13:23:11|2216073638
ABC|FastEthernet|456|2013-11-15 13:26:37|110097234
Any suggestions, tips, hints, are appreciated.
Thanks,
i would use the case statement in this case:
case(X,"Y",...) This function takes pairs of arguments X and Y. X arguments are Boolean expressions that, when evaluated to TRUE, return the corresponding Y argument. The function defaults to NULL if none are true. This example returns descriptions for the corresponding http status code:
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")
i would use the case statement in this case:
case(X,"Y",...) This function takes pairs of arguments X and Y. X arguments are Boolean expressions that, when evaluated to TRUE, return the corresponding Y argument. The function defaults to NULL if none are true. This example returns descriptions for the corresponding http status code:
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")
What about using transaction?
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/transaction
Just something that crossed my desk a few mins ago.