When i run the following query, my legend has the values as values(fieldname)
:
index=main source=daily_report sourcetype=ironport_stats | chart values(malicious_url),values(detected_virus) over insert_date by server
How would I rename the values fields so they show up as what I want in the legend of the graph?
Thanks in advance!
If you use column-split options with charting commands like chart/timechart (over field by field
for chart
and by field
for timechart
), it'll creates columns which include the values of the by clause field.
E.g. ..|chart count over field1 by field2
will give columns field1, field2value1 field2value2....
.
If you're using multiple aggregation, Splunk can't differentiate them with just the field1value, so it appends the aggregation column names as well.
E.g. ..|chart count dc(field3) over field1 by field2
will give columns field1, count:field2value1 count:field2value2... dc(field3):field2value1, dc(field3):field2value2....
.
I would rename aggregation field within chart command itself to give a proper name so that chart generates series with proper names. E.g. ..|chart count dc(field3) as label over field1 by field2
will give columns field1, count:field2value1 count:field2value2... label:field2value1, label:field2value2....
.
What is the field name that you expect to come? Consider using stats instead of chart.
Try:
index=main source=daily_report sourcetype=ironport_stats | chart values(malicious_url),values(detected_virus) over insert_date by server | rename values(malicious_url) as malicious_url values(detected_virus) as detected_virus
this didn't work. the legend still shows:
values(malicious_url): mail1
values(malicious_url): mail2