How to change the name of the field only on the di...

theouhuios · ‎10-24-2012

Hello

I am trying to enable the drilldown option and when the drilldown is taking place the search is not able to go back to the original data. It's because of this

 rename 1 as Emergency  2 as High, 3 as Medium, 4 as Low

The data is in 1,2,3,4 priorities and I had to rename it so that it comes in the format needed. But when drilldown is being done its searching for "high" and the data is not available.

Any idea on how do I solve this issue?

woodcock · ‎10-15-2019

Yes, fieldformat is the correct solution. Instead of rename, do this:

... | fieldformat 1 = Emergency
| fieldformat 2 = High
| fieldformat 3 = Medium
| fieldformat 4 = Low

sandeepmakkena · ‎10-15-2019

There two ways to fix it.
1. Pass the token values to the drill-downs with original names
2. Just follow the same naming in the drill-downs as well, what I mean is just rename the fields as in your main search.

Hope this helps, Thanks!

kml_uvce · ‎03-16-2013

you can do like this |rename record.priority AS RecordPriority|eval RecordPriority=case(RecordPriority==1,"Emergency",RecordPriority==2,"High",RecordPriority==3,"Medium",RecordPriority==4,"Low")

-Kamal Bisht

Ayn · ‎10-24-2012

I believe fieldformat (http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Fieldformat ) is precisely what you're looking for.

theouhuios · ‎10-24-2012

Oh.Ok. Will see if there is any other way. Thanks for all the help.

Ayn · ‎10-24-2012

I suspect that might be because your dots in the fieldnames. That is likely to cause troubles one way or another because dots are also interpreted as concatenation operators when using eval.

theouhuios · ‎10-24-2012

It gives an error saying operator == has been given different values.

theouhuios · ‎10-24-2012

Well record.priority is a field in the data. So thats the only field which I will be using.. Will it be like this below

fieldformat record.priority=case(record.priority==1,"Emergency",record.priority==2,"High",record.priority==3,"Medium",record.priority==4,"Low")

Ayn · ‎10-24-2012

You're switching priority and record.priority a bit. Are you using both?

theouhuios · ‎10-24-2012

....|dedup record.nextBreachTime| rex field=record.nextBreachTime "\s+(?(\d{2})):" | eval thehour=tonumber(thehour) | eval Timeperiod=case(thehour=0,1,thehour>0 AND thehour<4,2,thehour>4 AND thehour<8,3,thehour>8,4)|sort - count | contingency Timeperiod priority | fieldformat priority=case(record.priority==1,"Emergency",record.priority==2,"High",record.priority==3,"Medium",record.priority==4,"Low")

theouhuios · ‎10-24-2012

It still doesn't work. Here is the complete search string. Also if you can, please let me know if I can actually place alphabets in the "Timeperiod" case statements rather than bucketing it according to numbers. I wanted to use 'Count at 0' for '1' in the case statements. Any idea

Ayn · ‎10-24-2012

Sure. With a fieldname called "priority", at the end of your search, add something like this:

... | fieldformat priority=case(priority==1,"Emergency",priority==2,"High",priority==3,"Medium",priority==4,"Low")

theouhuios · ‎10-24-2012

Hmm.. I did try the fieldformat but it isn't working. May be I am using it in a wrong way.

Can you please give an example considering the above case on how do we use it?

The field which gives the data about the priority is record.priority.

How to change the name of the field only on the display

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability