Hi guys
I have a problem here and I need ur help!
I have a table in a dashboard with column _time. I would like to rename _time as time so I tried 2 methods to do that.
Method A:
index="from_host_demo" source="Perfmon:Network Interface" | convert timeformat="%Y/%m/%d %T" ctime(_time) as time | table time collection counter Value
and Method B:
index="from_host_demo" source="Perfmon:Network Interface" | rename _time as time | table time collection counter Value| fieldformat time=strftime(time, "%Y/%m/%d %T")
Both methods work well and I got what I wanted, but I soon found I got no event if I drill down from tables and I see the format of _time causes this problem.
For example, if I drill down the second table, the search line would be
index="from_host_demo" source="Perfmon:Network Interface" Value="283.51863284535062" | eval time=_time | search time="2015/07/30 11:26:34"
and got no events. But if I change the search line into
index="from_host_demo" source="Perfmon:Network Interface" Value="283.51863284535062" | eval time=_time | search time="1438226794"
then the event I want comes out.
So I tried to change the drilldown link as below:
<drilldown target="_blank">
<link>
<![CDATA[search?q=index="from_host_demo" collection="$row.collection$" counter="$row.counter$" Value="$row.Value$" | convert timeformat="%Y/%m/%d %T" ctime(_time) as time |where time="$row.time$"]]>
</link>
</drilldown>
If I drill down the table, it comes out "loading" and will not even show any result! However, when I typed the search line in the search page without tokens, but with data, it worked!
So what I want is to rename the _time column, but still have the drilldown function work. What should I do to solve this problem? And by the way, what is the difference between method A and method B? Thx a lot!
Got a solution...it works but is not perfect.
<table>
<title>rename time</title>
<search>
<query>index="perform" source="Perfmon:Network118"
| convert timeformat="%Y/%m/%d %T" ctime(_time) as time2
| eval collection2 = collection | eval counter2 = counter | eval Value2 = Value
| rename _time as time
| table time time2 collection collection2 counter counter2 Value Value2
| rename time2 as 时とき, collection2 as 集まる, counter2 as 分類, Value2 as 数値</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<drilldown target="_blank">
<link>
<![CDATA[search?q= search index="perform"
collection="$row.collection$"
counter="$row.counter$"
Value="$row.Value$"
_time="$row.time$"]]>
</link>
</drilldown>
<fields>["时とき","集まる","分類","数値"]</fields>
</table>
For example, if you have 4 columns to show and all of them need to be renamed, you should have 8 column in your table - 4 of them to display(be renamed) and 4 for the value for drilldown. Then use row.field to take the values of the columns aren't renamed and use fields to show the columns renamed.
Got a solution...it works but is not perfect.
<table>
<title>rename time</title>
<search>
<query>index="perform" source="Perfmon:Network118"
| convert timeformat="%Y/%m/%d %T" ctime(_time) as time2
| eval collection2 = collection | eval counter2 = counter | eval Value2 = Value
| rename _time as time
| table time time2 collection collection2 counter counter2 Value Value2
| rename time2 as 时とき, collection2 as 集まる, counter2 as 分類, Value2 as 数値</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<drilldown target="_blank">
<link>
<![CDATA[search?q= search index="perform"
collection="$row.collection$"
counter="$row.counter$"
Value="$row.Value$"
_time="$row.time$"]]>
</link>
</drilldown>
<fields>["时とき","集まる","分類","数値"]</fields>
</table>
For example, if you have 4 columns to show and all of them need to be renamed, you should have 8 column in your table - 4 of them to display(be renamed) and 4 for the value for drilldown. Then use row.field to take the values of the columns aren't renamed and use fields to show the columns renamed.
IMHO, this is a bug and should be reported as such. Especially because this also doesn't work (and DEFINITELY should):
index="from_host_demo" source="Perfmon:Network Interface" | fieldformat _time = strftime(_time, "%Y/%m/%d %T") | table _time collection counter Value
yep another error 😞
Hi LuiesCui,
you're aware that Splunk already has build in japanese locals?
Don't re-invent the wheel, just use this URI and you good:
http[s]://YourSplunkServer:YourSplunkPort/ja-JP/
This cannot be set by default but Splunk should switch to the correct locale if used in a japanese browser - maybe...
Hope this helps ...
cheers, MuS
And here is a nice Chrome plug-in which will take care of switching to the correct locale if Splunk does not https://chrome.google.com/webstore/detail/quick-language-switcher/pmjbhfmaphnpbehdanbjphdcniaelfie
cheers, MuS
Tried and didn't work. Can I rename those column header outside of the search line? I mean, I want to edit the column name in the xml as a property of the table. Any way to do that?
What did not work, using the ja-JP
locale or using the fieldformat
?
Try the ja-JP
locale without the fieldformat
I'm not aware of a column header rename function outside the search, but then again I'm no Web developer and I haven't used the Splunk Web Framework a lot.
Could anyone help?
Why do you need to rename _time
?
My client wants the panel shows in japanese