Splunk Search

Rename results doesn't work

philallen1
Path Finder

Hi

I have a feeling I'm missing something simple here. This is my search:

sourcetype="ContributionWebApi"  DbQuery=* | chart count by DbQuery 

And this are my results:

DbQuery--------------------------------------------------------------------count

EXEC [usp_GetClientListHierarchyNode] --------------------------------------3

EXEC [usp_GetClientListHierarchyTopLevel]-----------------------------------68

EXEC [zambezi.usp_GetDealsByClient]-----------------------------------------77

SELECT DISTINCT(UserTeamId) FROM SmartWarehouse.dbo.SR_UserTeam-------------68

I want to rename the DbQuery results to something more meaningful. I.e. for the first row, I'd rather it says "EXEC GetClientListHierarchy"

Is it possible to do this in the initial search? (i.e. using "rename"?) If not, where and how can I do this.

Thanks a lot

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Rename is for field names and you want to update field values, so that is not applicable for your case. You can use eval-replace if you know what are the possible strings you want to remove. Your example (changing "EXEC [usp_GetClientListHierarchyNode]" to "EXEC GetClientListHierarchy") can be achieve by following:-

sourcetype="ContributionWebApi" DbQuery=* | eval DbQuery=replace(DbQuery,"\[","") | eval DbQuery=replace(DbQuery,"\]","")| chart count by DbQuery

forward slash is escape character for brackets.

you can add more eval-replace part for all your customizations.

lukejadamec
Super Champion

You can use eval case(), but you would need to list each one in the case statement, and you can’t use wildcards directly. It would look something like this:

sourcetype="ContributionWebApi" DbQuery=* | eval DbQuery_desc=case(DbQuery=“EXEC [usp_GetClientListHierarchyNode]”,"EXEC GetClientListHierarchy",DbQuery=” EXEC [usp_GetClientListHierarchyTopLevel]”,“EXEC usp_GetClientListHierarchyTopLevel”,DbQuery=”EXEC [zambezi.usp_GetDealsByClient]”,DbQuery=“EXEC [zambezi.usp_GetDealsByClient]”,”EXEC zambezi.usp_GetDealsByClient”,DbQuery=”SELECT DISTINCT(UserTeamId) FROM SmartWarehouse.dbo.SR_UserTeam”,”SELECT DISTINCT UserTeamId FROM SmartWarehouse.dbo.SR_UserTeam”) | chart count by DbQuery_desc

You may also be able to use a lookup. You would still need to list all of the possible results with your desired wording, but they would be in a csv file not in the search.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...