Splunk Search

Dynamic renaming of column header in a table

chrismorris
Explorer

How do I get timeColumnName to read as "July"? It needs to be dynamic. Keying off of the eval or something similar.

index="main" |eval timeColumnName=strftime(_time, "%b %d")|stats sparkline AS timeColumnName count by userName

The solution should easily work with

index="main" |eval timeColumnName=strftime(_time, "%b %d")|stats sparkline AS timeColumnName count by userName

Explicitly renaming |rename timeColumnName AS July is not what I'm looking for. I don't want to update the code in August.

For the first example, output should look like:





userNameJulyCount
userAprettyGraphic, use your imagination54
userBprettyGraphic23

and example 2 should have the date for an individual day





userNameJuly 12Count
userAprettyGraphic, use your imagination54
userBprettyGraphic23

sadly the output currently looks like





userNametimeColumnNameCount
userAprettyGraphic, use your imagination54
userBprettyGraphic23
Thanks in advance for any ideas.

kristian_kolb
Ultra Champion

Hello,
You could have a look at the following search (unless you've already solved the problem yourself). It makes use of the field date_month which is calculated for all events (apart from any windows event logs), along with date_hour, date_minute, date_wday, etc etc.

your_search_here | chart sparkline count AS usage_count over userid by date_month

userid     sparkline:september     usage_count:september
adam       graphics here           43
bill       graphics here           92
cecilia    graphics here           238

As you will see, it does not edit the actual column header, but rather uses the date_month as its header, of sorts. However, it will only look as intended if you limit the search so that only events from a single month are returned. The search will work for other time-ranges as well, but the output will not be what you desire.

Hope this helps,

Kristian

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...