Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Renaming Disparate Search Fields

albyva
Communicator
‎11-15-2013 06:12 AM

I'm trying to rename two fields gathered from a search and having a problem.
In the example below, I have a search that pulls two different data sets. In the example,
packet_type 123 are total packets and packet_type 456 are discarded packets. What I
want to do is rename these so I can run stats and eval on their outputs.

index=generic router=ABC interface=FastEthernet packet_type="123" OR packet_type="456"

Ideally I'm trying to get something like this:

index=generic router=ABC interface=FastEthernet packet_type="123" OR packet_type="456"
| bucket _time span=5m
| rename packet_type="123" AS total_packets
| rename packet_type="456" AS discards
| eval packet_loss=discards/total_packets
| table router interface total_packets discards packet_loss

Here is a sample output of the search.

ABC|FastEthernet|123|2013-11-15 13:23:11|2216073638
ABC|FastEthernet|456|2013-11-15 13:26:37|110097234

Any suggestions, tips, hints, are appreciated.

Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aelliott
Motivator
‎11-15-2013 06:21 AM

i would use the case statement in this case:
case(X,"Y",...) This function takes pairs of arguments X and Y. X arguments are Boolean expressions that, when evaluated to TRUE, return the corresponding Y argument. The function defaults to NULL if none are true. This example returns descriptions for the corresponding http status code:
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

View solution in original post

Reply
Solved! Jump to solution
Solution

aelliott
Motivator
‎11-15-2013 06:21 AM

i would use the case statement in this case:
case(X,"Y",...) This function takes pairs of arguments X and Y. X arguments are Boolean expressions that, when evaluated to TRUE, return the corresponding Y argument. The function defaults to NULL if none are true. This example returns descriptions for the corresponding http status code:
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

Reply
Solved! Jump to solution

albyva
Communicator
‎11-15-2013 06:48 AM

What about using transaction?
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/transaction

Just something that crossed my desk a few mins ago.

Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...