Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is rename not working with stats or chart?

prakash007
Builder
‎02-03-2016 11:11 AM

I'm not able to rename file names to display in a pie chart...any help would be appreciated...
I tried both ways..

 index=web_server sourcetype=web_access  (file="pr.prod" OR file="cr.crt" OR file="src.jsp")  SESSIONID!="-" | dedup  SESSIONID | stats count by file | rename "pr.prod" AS "Products", "cr.crt" AS "Category", "src.jcp"  AS "Search"

 index=web_server sourcetype=web_access   SESSIONID!="-" | dedup SESSIONID |  stats count(eval( file="pr.prod")) AS Products, count(eval(file="cr.crt")) AS Category, count(eval(file="srchjsp")) AS search | stats count by file
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-03-2016 11:43 AM

The rename command changes the name of a field, not the values of a field. To change values, use the replace command.

index=web_server sourcetype=web_access  (file="pr.prod" OR file="cr.crt" OR file="src.jsp")  SESSIONID!="-" | dedup  SESSIONID | stats count by file | replace "pr.prod" with "Products" in file | replace "cr.crt" with "Category" in file | replace "src.jcp" with "Search" in file

The second method looks to me like it should work.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-03-2016 11:43 AM

The rename command changes the name of a field, not the values of a field. To change values, use the replace command.

index=web_server sourcetype=web_access  (file="pr.prod" OR file="cr.crt" OR file="src.jsp")  SESSIONID!="-" | dedup  SESSIONID | stats count by file | replace "pr.prod" with "Products" in file | replace "cr.crt" with "Category" in file | replace "src.jcp" with "Search" in file

The second method looks to me like it should work.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

prakash007
Builder
‎02-03-2016 01:56 PM

Thankyou...It worked,I have also added count at the end of the search to display the count by file in pie chart...

.......... | replace "src.jcp" with "Search" in file| eval  file_slice = count + "-" + file | fields file_slice, count
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...