Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Renaming column names(field value) in a search result

nitin_gurram
New Member
‎02-12-2016 07:46 AM

We have a test index which captures all the response times of different transactions by version

I wrote a search to display different response times by different transactions and version

index=testing test_type=CI  test_function="ok.pct90" | chart avg(transaction_RT_val) AS "90%_RT" by transaction, version

I want to write to show the difference in response time between every vealt textrsion (Version numbers keep on changing every time)

Maybe some thing like this but the problem with this one is the version number always change

index=testing test_type=CI  test_function="ok.pct90" | chart avg(transaction_RT_val) AS "90%_RT" by transaction,version | rename "99864.0.0" as Test1, "99867.0.0" as Test2 , "99868.0.0" as Test3 | eval Change1 = ((Test2-Test1)/Test2*100) | eval  Change2 = ((Test3-Test2)/Test3*100) | fields transaction, Change1, Change2

Preferably I want to filter the results to show a maximum of last 5 versions

Preview file
14 KB
0 Karma
Reply

somesoni2
Revered Legend
‎02-12-2016 09:43 AM

Try something like this (this is assuming that a version is available for all transactions)

Update
I must've goofed up while pasting the answer. Here is the full search.

Assumption: Every transaction has events for all versions. Version is in format major.minor.build

index=testing test_type=CI  test_function="ok.pct90" | stats avg(transaction_RT_val) as transaction_RT_val by transaction,version | rex field=version "(?<major>\d+)\.(?<minor>\d+)\.(?<build>\d+)" | sort transaction major minor build | streamstats count as sno by transaction | eval version="Test".tostring(sno)  | chart avg(transaction_RT_val) AS "90%_RT" by transaction,version | eval Change1 = ((Test2-Test1)/Test2*100) | eval  Change2 = ((Test3-Test2)/Test3*100) | eval Change3 = ((Test4-Test3)/Test4*100) | eval  Change4 = ((Test5-Test4)/Test5*100) | fields transaction, Change*
0 Karma
Reply

nitin_gurram
New Member
‎02-14-2016 11:32 PM

Hi! you almost wrote the same query that I wrote
I got Test1,Test2 , Test3 by renaming version numbers those fields do not exist. note that version numbers are changing and they are not constants so I can't rename them

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...