- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Changing the Name of Results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing the Name of Results
Hi,
I recently started using Splunk and searched for the answer to this but was unable to find it. I am trying to change the name of some of my search results. For instance, I am running the following search:
host="web01.inno-360.com" AND source="/var/log/apache2/pg_ssl_access.log" OR source="/var/log/apache2/disney_ssl_access.log" OR source="/var/log/apache2/afrl_ssl_access.log" OR source="/var/log/apache2/genmills_ssl_access.log" OR source="/var/log/apache2/mwv_ssl_access.log" OR source="/var/log/apache2/lmco_ssl_access.log" OR source="/var/log/apache2/givaudan_ssl_access.log" AND /users/login | stats count by source | RENAME source AS "Client Instance", count AS "Number of Logins"
The results I get back are fine, it has the file path listed under one column and the number I need for the other. However, when I go to create a graph, you are not able to read it fully because the file path is so long. So my question is, can I change that?
Ideally I would like to take the result for 'source="/var/log/apache2/lmco_ssl_access.log"' and change it to just LMCO so that it is readable in the graph.
Any help on this would be great!
-Tyler
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! That worked, now the name is listed as 'mwv_ssl_access.log'. What would be the regex to extract just 'MWV' out of 'mwv_ssl_access.log'?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I just added to the script:
host="web01.inno-360.com" AND source="/var/log/apache2/pg_ssl_access.log" OR source="/var/log/apache2/disney_ssl_access.log" OR source="/var/log/apache2/afrl_ssl_access.log" OR source="/var/log/apache2/genmills_ssl_access.log" OR source="/var/log/apache2/mwv_ssl_access.log" OR source="/var/log/apache2/lmco_ssl_access.log" OR source="/var/log/apache2/givaudan_ssl_access.log" AND /users/login | stats count by source | rex field=source "/(?
Now the results come back with the source_short column which is fine but when I go to create a graph I only want the 'source_short' field and not the 'source' field (which it is giving me).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rename the field first of all and then do your stats count by the source_short field instead.
host="web01.inno-360.com" AND source="/var/log/apache2/pg_ssl_access.log" OR source="/var/log/apache2/disney_ssl_access.log" OR source="/var/log/apache2/afrl_ssl_access.log" OR source="/var/log/apache2/genmills_ssl_access.log" OR source="/var/log/apache2/mwv_ssl_access.log" OR source="/var/log/apache2/lmco_ssl_access.log" OR source="/var/log/apache2/givaudan_ssl_access.log" AND /users/login | rex field=source "/(?<source_short>[^/]+)$" | stats count by source_short
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have a look at this q/a that deals with this exact matter. http://splunk-base.splunk.com/answers/43456/rename-source-in-chart
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
