Re: how to rename column name based on condition

hqw · ‎10-28-2015

Hi all,

I want to name the column name based on condition as below snapshot, for example, if Q1=A, then rename row 1 as text1, if Q2 is B then rename row is text 2.

Do you guys know how to achieve this?

Thanks

akanno · ‎10-29-2015

Do you use the transpose command like following?

index=_internal | stats count by sourcetype | transpose 7

you can use eval command and chart command instead of using the transpose command
try this search

index=_internal | stats count by sourcetype 
| eval a=if(sourcetype="mongod","test1",a) 
| eval a=if(sourcetype="scheduler","test2",a) 
| eval a=if(sourcetype="splunk_web_access","test3",a) 
| eval a=if(sourcetype="splunk_web_service","test4",a)
| eval a=if(sourcetype="splunkd","test5",a) 
| eval a=if(sourcetype="splunkd_access","test6",a) 
| eval a=if(sourcetype="splunkd_ui_access","test7",a)  
| eval column="percent"
| chart values(count) by column,a

hqw · ‎10-28-2015

sorry if Q0=A, then column name = text1, if Q0= B then column name = text2. Since I have sort the Q0, so the order of A B C D E would be change automatically, that is why I need use Q0 as a condition to rename column name.

how to rename column name based on condition

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor