Can you rename values extracted into fields?
Example - Here is a field i have called "filename" and some examples of values that were extracted.
filename=statement.pdf
filename=invoice.pdf
filename=invoice.html
Can I rename (or trick) these values from the field filename to show up in a chart or table as:
statement.pdf ====> Billing Statement
invoice.pdf ===> Billing Invoice
invoice.html ===> Drilldown Invoice
I was looking at eval but so far haven't figured anything out yet.
use eval
for example...
search whatever | eval Actual = case(filename = "statement.pdf","Billing Statement",filename = " invoice.pdf","Billing Invoice", filename = "invoice.html","Drilldown Invoice")
Hrmm... I don't understand.
On my summary page, I have a source listed as "WinEventLog:ForwardedEvents" that I'd like to rename to "DC Security Logs"
Anyone able to help?
Ya, I didn't get that either... I ended up simply using REX:
rex field=mount mode=sed "s/space/Splunk DB location/g"
This takes the value "space" in the mount field (this is a df output) and replaces the word "space" with "Splunk DB location".
use eval
for example...
search whatever | eval Actual = case(filename = "statement.pdf","Billing Statement",filename = " invoice.pdf","Billing Invoice", filename = "invoice.html","Drilldown Invoice")
and for some reason Comments like to remove my *'s from my searches. Will post what i mean as an answer...
Maybe I miss-understood the question, but this didn't work for me; but the "replace" command worked great. Reference here:
http://answers.splunk.com/answers/7077/how-can-i-rename-the-host-names-for-my-chart.html
For some reason Scorecard won't show up w/ this search. sourcetype="EPPWEB" source="/opt/log//web_server/info.log" WAT | rex field=_raw "USER (?P
filename="-.pdf","Scorecard" is what I have at the end. I'm wondering if it's because of how it's defined earlier in the search with the NOT command?
haha yup eval can be used with just about anything...you can dig deeper by surrounding the eval with a coalesce for unknown values like coalesce(case(...),"unknown") and that will replace unknown definitions as "unknown"