Splunk Search

changing column name

mileven
Explorer

host=server| eval size = len(_raw) | eval DSize = round(size/1024,2)| chart count(counter),sum(DSize) as "Daily indexed in KB" over source

Is the query I have. It creates 3 colums as I want but the count(counters) is the middle column header and I want to change that to "Number of events" The rest of the query works just fine.

Tags (1)
0 Karma

mileven
Explorer

host=server | eval size = len(_raw) | eval DSize = round(size/1024,2)| chart count(counter) as "number of events" , sum(DSize) as "Daily indexed in KB" over source

Had the rename in the wrong part of the query.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...