change column name with specified new column value...

vikas_baranwal · ‎06-26-2018

Hi,

I am having correct value in current field and want to use that value as column name which is currently showing as A. Please help to solve this issue. For any other information please let me know.

e.g if current is '06-24-2018' then in table header row should have column name as '06-24-2018'

| base search
| eval current = strftime(currentTime,"%m-%d-%Y")
| eval A = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| table "Project",A

Sukisen1981 · ‎06-26-2018

something like this -

Use the value of one field as the name for a new field In this example, use each value of the field counter to make a new field name. Assign to the new field the value of the Value field. See Field names under the Usage section.

index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value
in your case |eval {current}=A
Ref. http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval#4._Use_the_value_of_one_field...

After running this you need to check your interesting field and add a last | stats values(06-15-2018) by "Project"
assuming your currentTime value is 06-15-2018

vikas_baranwal · ‎06-27-2018

My current SPL is like below in which currently weeks are hard -coded with values.

| eval "06-04-2018" = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval "05-28-2018" = if(P1P1>0 OR P2P1>0,"R",if(P3P1>0,"Y","G"))
| eval "05-21-2018" = if(P1P2>0 OR P2P2>0,"R",if(P3P2>0,"Y","G"))
| eval "05-14-2018" = if(P1P3>0 OR P2P3>0,"R",if(P3P3>0,"Y","G"))
| eval "05-07-2018" = if(P1P4>0 OR P2P4>0,"R",if(P3P4>0,"Y","G"))
| table "Project","05-07-2018","05-14-2018","05-21-2018","05-28-2018"," 06-04-2018"
| sort Project

Using above query in SPL, data is in showing in below structure(Project field is already exist in the event data).

[Screenshot attached ]

Now I want to display my header column with week’s date. I modified query as advised by you but it did not work.

| eval current = strftime(relative_time(now(),"@w1"),"%m-%d-%Y")
| eval A = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval {current} = A

Thanks in advance for your help!
alt text

Sukisen1981 · ‎06-27-2018

Hi,
Perhaps I am not getting your use case or I am not able to explain. At any rate I have written a query on the default _audit index , so that you can run the query as it is (select last 24 hours)
index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-27-2018

Now, the 06-27-2018 needs to be replaced by current day -1, so if you run this on 30th June you would write something like - index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-29-2018

Is this something like what you need?

paulbannister · ‎06-26-2018

Hi There,

Can you expand on the problem a little more, such as what the data looks like and your expected outcome? At first glance from the above data my thoughts would be to use the CHART command by the field in question

vikas_baranwal · ‎06-26-2018

I want to display column name with a date as an output of eval command and This date is also coming from a eval command output.
Hope this information helps you to provide me solution.
Thanks in advance!

niketn · ‎06-26-2018

@vikas_baranwal can you give the output table format. While it is clear that you need Date as table header, it is not clear what would each row look like. What is your current data. Sample data and current table and expected table format would be helpful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

change column name with specified new column value in Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM