Hi Graham,
If lookup before timechart isn't what you're looking for (I guess you have many events but only few conn types),
have you consider using custom search command?
here's a simple script that might work for you (might still need to be tuned to really work for you):
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import splunk.Intersplunk as sis
(a, kwargs) = sis.getKeywordsAndOptions()
def main():
results = sis.readResults(None, None, True)
conn_types = {
'0000000A': 'From system XYZ',
'0000000B': 'Entered on the command line',
'0000000C': 'from C',
'0000000D': 'others'
}
for row in results:
for key in row:
if conn_types.get(key.strip()):
row[conn_types[key]] = row[key]
del row[key]
sis.outputResults(results)
return 0
try:
main()
except Exception, e:
import traceback
stack = traceback.format_exc()
sis.generateErrorResults("Error '{e}'. {s}".format(e=e, s=stack))
You can place this script in $SPLUNK_HOME/etc/apps/search/bin/ , say renamecolumns.py ,
and add/edit $SPLUNK_HOME/etc/app/search/local/commands.conf :
[renamecolumns]
filename = renamecolumns.py
then search string:
source=*test.log | timechart count by conn_type | renamecolumns
Basically this reads the results and modify column names for you,
and of course you can read file from csv if you'd like to.
but if you have many events and/or large lookup,
you might need to test which is faster - custom command or lookup
HTH,
Bill
... View more
