index=xxx earliest=-7d@d latest=@d ( sourcetype="FirstSourceType" ResponsePayLoad="*xxx*" ActivityStep="rs" (ResponseStatus!=500 OR ResponseStatus!=400) ) OR ( sourcetype="SecondSourceType" OperationName=CSRequestProcessor.post ActivityStep="rs" ResponseStatus=0) | eval txn_id=if(transaction_id LIKE "[%]", substr(transaction_id, 2, 36) , transaction_id) | chart sum(Duration) over txn_id by sourcetype What I get is a table with three columns : txn_id ..... FirstSourceType .... SecondSourceType Is it possible to rename FirstSourceType & SecondSourceType to "Total Time Taken" & "Total time taken by zzz" respectively? I tried rename command but couldn't get it to work: index=xxx earliest=-7d@d latest=@d ( sourcetype="FirstSourceType" ResponsePayLoad="*xxx*" ActivityStep="rs" (ResponseStatus!=500 OR ResponseStatus!=400) ) | rename sourcetype to "Total Time Taken" OR ( sourcetype="SecondSourceType" OperationName=CSRequestProcessor.post ActivityStep="rs" ResponseStatus=0) | rename sourcetype to ""Total time taken by zzz" | eval txn_id=if(transaction_id LIKE "[%]", substr(transaction_id, 2, 36) , transaction_id) | chart sum(Duration) over txn_id by sourcetype But I got the error: Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+ ... View more

index=inctv starttime=10/07/2015:00:00:00 endtime=10/13/2015:00:00:00 (sourcetype="mysource" OperationName="*MyImpl.*" ActivityStep="rs") | eval txn_id=if(transaction_id LIKE "[%]", substr(transaction_id, 2, 36) , transaction_id) | chart values(Duration) over txn_id by OperationName This gives me results arranged by transaction Ids like: Transaction ID MyImpl.method1() MyImpl.method2() MyImpl.method3() trx_id1 3 4 6 trx_id2 5 6 7 trx_id3 5 5 5 What I want is: Transaction ID All MyImpl Calls trx_id1 13 trx_id2 17 trx_id3 15 I am an absolute beginner in Splunk, so it would be very nice if you could explain what your solution does exactly. Thanks ... View more