×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lukasHoel
Explorer
Member since: ‎04-21-2015
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎04-21-2015
Activity Feed
View All

Re: What is the best way to rename field values an...

by in Splunk Search
‎04-23-2015 01:26 AM
1 Karma
‎04-23-2015 01:26 AM
1 Karma
Thanks for that! Using eval and case totally got it for me 🙂 Using those operations several times fixed the issue! ... View more

Re: What is the best way to rename field values an...

by in Splunk Search
‎04-21-2015 06:43 AM
‎04-21-2015 06:43 AM
Well using external sources with a lookup would not be a possibility, I guess. Maybe I could break the problem down to this: Say, that the extracted field value "Test123ABC" means actually "Application One". And then, when using the field in a field calculation, it will use "Application One" as value and not "Test123ABC". There must be an easy way to do this? I am searching for something like field aliases only for values, saying Test123ABC = Application One and using Application One, instead of Test123ABC when using the field. ... View more

What is the best way to rename field values and us...

by in Splunk Search
‎04-21-2015 06:17 AM
‎04-21-2015 06:17 AM
Hello, I have extracted three fields: Name , Type and Environment . Each of those fields is has multiple values. For example: Name = "fw.infra.prctrl.ClientStarter" (and more following this layout) Type = "somestuff.OLDTYPE.morestuff" Type = "somestuff.NEWTYPE.morestuff" Environment = "env A" Environment = "env B" Eventually, I want to combine those fields into a new field named NameOfApplication . The way I have done that, was by using the "Calculate Fields" Option with the eval Operation: "*Name + " - " Type" + " - " + "Environment*" As expected, the result was for example: "fw.infra.prctrl.ClientStarter - somestuff.NEWTYPE.morestuff - env A" But that is too long for my needs and I would like to have it in this way: "Application One - NEWTYPE - A" That's because I will use NameOfApplication in a Chart. So I have to tell Splunk that "fw.infra.prctrl.ClientStarter" means "Application One" and that I have to shorten the other fields. I know this is possible in the search bar by using "replace" or "rex" commands, but the field NameOfApplication is created with the "Calculate Fields" Option in SplunkWeb, so changing the values of the fields in the search bar won't affect the new field. Also, changing this manually in the search bar for every possible result might get too much, so doing it automatically would be great. How can I achieve my goal the best way? Changing the way completely wouldn't mind at all 🙂 Thanks for your help! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All