×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
criswebber
New Member
Member since: ‎02-28-2012
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-28-2012
View All

Rename aggregated group by fields with colon separ...

by in Splunk Search
‎02-28-2012 01:51 PM
‎02-28-2012 01:51 PM
I have a search query that uses a regular expression to place values in a field/variable and then it aggregates values grouping them by the field/variable defined in the regular expression. This works fine, except that the output column names are something like AggregatedValues:GroupedValue, and I cannot rename them to something more user friendly. For example, this is the query: ... | rex field=_raw "type : (? [0-9]+)," | rex field=_raw "execution took (? .*) ms" | timechart span=1h, avg(executionTime) as "Avg Time", count(executionTime) as Trxs by trxType So I can get the average execution time and number of events per transaction type, and Splunk will print something like "Avg Time:SE1" or "Trxs:UP2", where SE1 and UP2 are the transaction types and the colon is placed by Splunk, however, I would like this renamed to something like "Search 1 Average Time", etc. Is this possible? Thanks, Cris. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM