Solved: Renaming column at runtime without knowing at codi...

andreafebbo · ‎08-26-2016

Hi.
I have the following query

BASE QUERY earliest=-7d latest=now | bucket _time span=7d |  stats count as events by  source _time |chart sum(events) by source, _time

this query gives me the column source and, in this case, 2 columns (that if i change earliest and span, become N columns).

the deal is that those columns are names by the time, in some strange format (1471557600 and 1472162400).

so, in this case, I have 3 columns: source - 1471557600 - 1472162400.

I need to dynamically rename the columns by position, without knowing their names at run time.

Is there some command like: rename the 2nd column = "this week" ans the 3rd column = "last week" ?

Thank you

sundareshr · ‎08-26-2016

Try this

 BASE QUERY earliest=-14d latest=now | eval when=if(_time>relative_time(now(), "-7d@d"), "Current Week, "Prev Week") |  stats count as events by  source when |chart sum(events) by source, when

View solution in original post

sundareshr · ‎08-26-2016

Try this

 BASE QUERY earliest=-14d latest=now | eval when=if(_time>relative_time(now(), "-7d@d"), "Current Week, "Prev Week") |  stats count as events by  source when |chart sum(events) by source, when

andreafebbo · ‎08-29-2016

I works!
Thanks a lot!

martin_mueller · ‎08-26-2016

Have you considered using the timewrap command?

https://splunkbase.splunk.com/app/1645/

andreafebbo · ‎08-29-2016

Thanks!
I didn't use the timewrap for solving this issue but I will use it for other issues.

Renaming column at runtime without knowing at coding time their names.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!