Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dynamic renaming of column header in a table

chrismorris
Explorer
‎07-12-2012 07:28 PM

How do I get timeColumnName to read as "July"? It needs to be dynamic. Keying off of the eval or something similar.

index="main" |eval timeColumnName=strftime(_time, "%b %d")|stats sparkline AS timeColumnName count by userName

The solution should easily work with

index="main" |eval timeColumnName=strftime(_time, "%b %d")|stats sparkline AS timeColumnName count by userName

Explicitly renaming |rename timeColumnName AS July is not what I'm looking for. I don't want to update the code in August.

For the first example, output should look like:





userNameJulyCount
userAprettyGraphic, use your imagination54
userBprettyGraphic23

and example 2 should have the date for an individual day





userNameJuly 12Count
userAprettyGraphic, use your imagination54
userBprettyGraphic23

sadly the output currently looks like





userNametimeColumnNameCount
userAprettyGraphic, use your imagination54
userBprettyGraphic23
Thanks in advance for any ideas.

Reply

kristian_kolb
Ultra Champion
‎09-25-2012 05:48 AM

Hello,
You could have a look at the following search (unless you've already solved the problem yourself). It makes use of the field date_month which is calculated for all events (apart from any windows event logs), along with date_hour, date_minute, date_wday, etc etc.

your_search_here | chart sparkline count AS usage_count over userid by date_month

userid     sparkline:september     usage_count:september
adam       graphics here           43
bill       graphics here           92
cecilia    graphics here           238

As you will see, it does not edit the actual column header, but rather uses the date_month as its header, of sorts. However, it will only look as intended if you limit the search so that only events from a single month are returned. The search will work for other time-ranges as well, but the output will not be what you desire.

Hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...