Solved: Re: how to display a field two times in a table wi...

jip31 · ‎09-12-2019

hi

As you can see below, I am doing a stats with the field "process_name"
In order to be more comprenhensive, I am doing a rename of this field with a case function
But in my table, I would like to display this field 2 times : one time with the original name and another time with the name done after the rename
How I can do this please??

| stats values xxxxxx by host process_name 
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield")
| rename process_name as "Process name" 
| table "Process name"

Melstrathdee · ‎09-12-2019

Maybe evaluate it to a new field.
| stats values xxxxxx by host process_name
| eval "Process name" =case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield")
| table "Process name" process_name

View solution in original post

Melstrathdee · ‎09-12-2019

Maybe evaluate it to a new field.
| stats values xxxxxx by host process_name
| eval "Process name" =case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield")
| table "Process name" process_name

jip31 · ‎09-12-2019

no doesnt works

Melstrathdee · ‎09-12-2019

JIP31 check what your case statement, for me it returns an error.
Without seeing your data I cant be sure I have your syntax right, but maybe try the below.

| eval process_name=case(process_name
like "mfev%",process_name,
process_name like "mcdatrep",
process_name,
process_name=="mcshield",
process_name) | eval "Process name" =
process_name | table "Process name"
process_name

jip31 · ‎09-13-2019

like this it works thanks!

how to display a field two times in a table with the original values and after a rename of the values

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...