Solved: Re: help to rename automatically random pie label

jip31 · ‎07-18-2019

Hi

I use the search below

[| inputlookup host.csv 
    | table host] index="x" sourcetype="x"
| bucket _time span=3m 
| where process_cpu_used_percent>80 
| dedup host process_name 
| stats count(host) as Total by process_name 
| sort -Total limit=10

process_name correspond to a piece of my pie chart and can be different at each times
I search an solution to rename automatically the process_name because one of them are not explicit
example : I have a process_name called "mfevtp" which correspond to McAFEE
So I want to display "McAFEE" in my label instead "mfevtp"
How to do this please?
thanks
regards

vnravikumar · ‎07-22-2019

Hi

Try this

...<your query>| eval process_name = if(like(process_name,"mfetvtp%"),"McAFEE",process_name)

View solution in original post

vnravikumar · ‎07-22-2019

Hi

Try this

...<your query>| eval process_name = if(like(process_name,"mfetvtp%"),"McAFEE",process_name)

jip31 · ‎07-22-2019

hi it seems to be ok!
last question, I have a lot of process name
so how to concatene them in if like??

vnravikumar · ‎07-22-2019

Hi

Try like

| eval process_name = case(like(process_name,"mfetvtp%"),"McAFEE",like(process_name,"abc%"),"ABC",1=1,process_name)

keep1=1 in your query, if none of the condition was matched it will return the value.

If its fine, please accept the answer.

jip31 · ‎07-22-2019

many thanks

jip31 · ‎07-22-2019

My case eval works but sometimes I need to use *

`| eval process_name=case(process_name=="mfevtps*")
But when I am doing * I have no results
How to use * in my case eavl please?

jitendragupta · ‎07-18-2019

What does this query give you? ->
index="x" sourcetype="x" | table process_name | dedup process_name

The only output of this query comes as a label in your pie chart.
I am not sure whether aliasing is there or not in Splunk. You can try this manual process:

 [| inputlookup host.csv 
     | table host] index="x" sourcetype="x"
 | bucket _time span=3m 
 | where process_cpu_used_percent>80 
 | dedup host process_name 
 | stats count(host) as Total by process_name 
 | sort -Total limit=10) | eval process_name=if(process_name="mfevtp","McAFEE ",process_name)

jip31 · ‎07-19-2019

thanks it works but sometimes I have not the exact name for the process name
and if I do eval process_name=if(process_name="mfevtp*","McAFEE ",process_name) it doesnt works
an idea please??

jitendragupta · ‎07-19-2019

If u know all possible values of the process_name, add them together in a case statement.

jip31 · ‎07-19-2019

yes but my question is why I can use *
sometime a process name can be named "mfetvtp1" or "mfevtp2"
But both have to be called McAFEE
So why I can do process_name="mfevtp*"??

help to rename automatically random pie label

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation