Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Making a chart and I want to change columns header names from Windows eventlog EventCodes to something readable

kpers
Path Finder
‎05-21-2015 03:02 PM

I am making a basic chart from windows event logs and the chart looks like this:

SourceName="Microsoft-Windows-IIS-IISReset" | chart count by host EventCode

I only get two event codes back and they are 3201 and 3202, basically telling me IIS either started or stopped. What would I put in the search to do something like:

| RENAME (EventCode=3201,"Start") RENAME (EventCode=3202,"Stop")

I know this is a simple one, but I can't seem to find an example that fits what I am looking for. It may be because I am new to Splunk and just too and to dumb to understand unless it is in baby talk LOL.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎05-21-2015 03:54 PM

Here you go:

SourceName="Microsoft-Windows-IIS-IISReset" | chart count by host EventCode|replace 3201 with Start in EventCode|replace 3202 with Stop in EventCode

Thanks

SGF

View solution in original post

Reply
Solved! Jump to solution

chimell
Motivator
‎05-21-2015 04:42 PM

Hi kpers
This search code can also work

SourceName="Microsoft-Windows-IIS-IISReset"|eval IIS=if(EventCode==3201 , "Start" , "Stop")|rename IIS as EventCode  | chart count by host EventCode
Reply
Solved! Jump to solution

kpers
Path Finder
‎05-21-2015 06:11 PM

This alternate option also worked! I just had to know how it worked and reverse engineer it and now I know more about how the eval/if command I kept seeing pop up in other posts. I like the simplicity of the replace command so I will stick with it in this basic search but the gears in my head are grinding on how I would use the eval/if combination in other situations.

Thank you so much for posing an alternate option that tough me a another Spluk trick!

Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎05-21-2015 03:54 PM

Here you go:

SourceName="Microsoft-Windows-IIS-IISReset" | chart count by host EventCode|replace 3201 with Start in EventCode|replace 3202 with Stop in EventCode

Thanks

SGF
Reply
Solved! Jump to solution

kpers
Path Finder
‎05-21-2015 04:32 PM

Thanks! that got me on the right track, it didn't work with the replaces after the chart but when I put them in front of the pipe chart it worked!

SourceName="Microsoft-Windows-IIS-IISReset" | replace 3201 with Start in EventCode| replace 3202 with Stop in EventCode | chart count by host EventCode

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...