Hi
I use the search below
[| inputlookup host.csv
| table host] index="x" sourcetype="x"
| bucket _time span=3m
| where process_cpu_used_percent>80
| dedup host process_name
| stats count(host) as Total by process_name
| sort -Total limit=10
process_name correspond to a piece of my pie chart and can be different at each times
I search an solution to rename automatically the process_name because one of them are not explicit
example : I have a process_name called "mfevtp" which correspond to McAFEE
So I want to display "McAFEE" in my label instead "mfevtp"
How to do this please?
thanks
regards
Hi
Try this
...<your query>| eval process_name = if(like(process_name,"mfetvtp%"),"McAFEE",process_name)
Hi
Try this
...<your query>| eval process_name = if(like(process_name,"mfetvtp%"),"McAFEE",process_name)
hi it seems to be ok!
last question, I have a lot of process name
so how to concatene them in if like??
Hi
Try like
| eval process_name = case(like(process_name,"mfetvtp%"),"McAFEE",like(process_name,"abc%"),"ABC",1=1,process_name)
keep1=1
in your query, if none of the condition was matched it will return the value.
If its fine, please accept the answer.
many thanks
My case eval works but sometimes I need to use *
`| eval process_name=case(process_name=="mfevtps*")
But when I am doing * I have no results
How to use * in my case eavl please?
What does this query give you? ->
index="x" sourcetype="x" | table process_name | dedup process_name
The only output of this query comes as a label in your pie chart.
I am not sure whether aliasing is there or not in Splunk. You can try this manual process:
[| inputlookup host.csv
| table host] index="x" sourcetype="x"
| bucket _time span=3m
| where process_cpu_used_percent>80
| dedup host process_name
| stats count(host) as Total by process_name
| sort -Total limit=10) | eval process_name=if(process_name="mfevtp","McAFEE ",process_name)
thanks it works but sometimes I have not the exact name for the process name
and if I do eval process_name=if(process_name="mfevtp*","McAFEE ",process_name) it doesnt works
an idea please??
If u know all possible values of the process_name, add them together in a case statement.
yes but my question is why I can use *
sometime a process name can be named "mfetvtp1" or "mfevtp2"
But both have to be called McAFEE
So why I can do process_name="mfevtp*"??