Splunk Search

Renaming Disparate Search Fields

albyva
Communicator

I'm trying to rename two fields gathered from a search and having a problem.
In the example below, I have a search that pulls two different data sets. In the example,
packet_type 123 are total packets and packet_type 456 are discarded packets. What I
want to do is rename these so I can run stats and eval on their outputs.

index=generic router=ABC interface=FastEthernet packet_type="123" OR packet_type="456"

Ideally I'm trying to get something like this:

index=generic router=ABC interface=FastEthernet packet_type="123" OR packet_type="456"
| bucket _time span=5m
| rename packet_type="123" AS total_packets
| rename packet_type="456" AS discards
| eval packet_loss=discards/total_packets
| table router interface total_packets discards packet_loss

Here is a sample output of the search.

ABC|FastEthernet|123|2013-11-15 13:23:11|2216073638
ABC|FastEthernet|456|2013-11-15 13:26:37|110097234

Any suggestions, tips, hints, are appreciated.

Thanks,

Tags (1)
0 Karma
1 Solution

aelliott
Motivator

i would use the case statement in this case:
case(X,"Y",...) This function takes pairs of arguments X and Y. X arguments are Boolean expressions that, when evaluated to TRUE, return the corresponding Y argument. The function defaults to NULL if none are true. This example returns descriptions for the corresponding http status code:
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

View solution in original post

aelliott
Motivator

i would use the case statement in this case:
case(X,"Y",...) This function takes pairs of arguments X and Y. X arguments are Boolean expressions that, when evaluated to TRUE, return the corresponding Y argument. The function defaults to NULL if none are true. This example returns descriptions for the corresponding http status code:
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

albyva
Communicator

What about using transaction?
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/transaction

Just something that crossed my desk a few mins ago.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...