Splunk Search

Renaming column names(field value) in a search result

nitin_gurram
New Member

We have a test index which captures all the response times of different transactions by version

I wrote a search to display different response times by different transactions and version

index=testing test_type=CI  test_function="ok.pct90" | chart avg(transaction_RT_val) AS "90%_RT" by transaction, version

I want to write to show the difference in response time between every vealt textrsion (Version numbers keep on changing every time)

Maybe some thing like this but the problem with this one is the version number always change

index=testing test_type=CI  test_function="ok.pct90" | chart avg(transaction_RT_val) AS "90%_RT" by transaction,version | rename "99864.0.0" as Test1, "99867.0.0" as Test2 , "99868.0.0" as Test3 | eval Change1 = ((Test2-Test1)/Test2*100) | eval  Change2 = ((Test3-Test2)/Test3*100) | fields transaction, Change1, Change2

Preferably I want to filter the results to show a maximum of last 5 versions

0 Karma

somesoni2
Revered Legend

Try something like this (this is assuming that a version is available for all transactions)

Update
I must've goofed up while pasting the answer. Here is the full search.

Assumption: Every transaction has events for all versions. Version is in format major.minor.build

index=testing test_type=CI  test_function="ok.pct90" | stats avg(transaction_RT_val) as transaction_RT_val by transaction,version | rex field=version "(?<major>\d+)\.(?<minor>\d+)\.(?<build>\d+)" | sort transaction major minor build | streamstats count as sno by transaction | eval version="Test".tostring(sno)  | chart avg(transaction_RT_val) AS "90%_RT" by transaction,version | eval Change1 = ((Test2-Test1)/Test2*100) | eval  Change2 = ((Test3-Test2)/Test3*100) | eval Change3 = ((Test4-Test3)/Test4*100) | eval  Change4 = ((Test5-Test4)/Test5*100) | fields transaction, Change*
0 Karma

nitin_gurram
New Member

Hi! you almost wrote the same query that I wrote
I got Test1,Test2 , Test3 by renaming version numbers those fields do not exist. note that version numbers are changing and they are not constants so I can't rename them

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...