I have a chart that graphs by hostnames, but I don't want to see the fully qualified domain of each host. How could I rename the host values to be a subset of the name or a completely different name?
The replace command allows you to rename values in the search results. For example, let us assume you have the following search which produces a chart of error counts by host:
index=webserver sourcetype=syslog ERRORS | timechart count by host
This chart produces the correct output, but you want to alter the host names. This is because they are a very long string and you do not need the fully qualified domain. For example:
host1 = machine1-webserverpool1.subdomain.domain.com host2 = machine2-webserverpool2.subdomain.domain.com
Let's assume I want to rename host1 and host2 to be m1pool1 and m2pool2. You can simply add the following replace command before the timechart:
replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host
You must make sure you specify the "in host" at the end, which tells Splunk to replace the values within the host field. The final search would be:
index=webserver sourcetype=syslog ERRORS | replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host | timechart count by host
Alternatively, you could use the rex command in combination with a regex to extract only the portion you want to see. Let's assume I want to completely remove the subdomain and only see the node name. The rex portion might look like:
rex field=host "(?<hostname>.*).subdomain"
The final search would be:
index=webserver sourcetype=syslog ERRORS | rex field=host "(?<hostname>.*).subdomain" | timechart count by host
The output of this search would show counts for machine1-web-serverpool1 and machine2-web-serverpool2.
Hello, my question is related to this topic. So I prefer to use this post, rather than create a new question.
I also want to rename the fields to show different values. The above approaches work, but they replace the value for the target field in each event before counting if I am not wrong. Is there any way to replace the value of the field after counting? For example, if I have host= x (40 times), y (42 times) and I want to display instead xx and yy, it is neccesary to replace "x" 40 times with "xx" and "y" with "yy" 42 times before doing "count by host" to see those labels or there is any work around to replace them just once after "count by host" has taken place?
Thanks
You can use rex
in order to strip the hostname out of the FQDN:
| rex field=hostname "((?<my_host>[^\.]+)\.)?(?<my_domain>(([^\.]+\.)+)?[^\.]+)" | timechart count by my_host
You can use the eval
command's replace function.
<your search> | eval host=replace(host, "commonprefix.", "") | <your report split by host>
see my answer to a different question over here -- http://answers.splunk.com/questions/6424/replace-parts-of-a-string/6430#6430
The replace command allows you to rename values in the search results. For example, let us assume you have the following search which produces a chart of error counts by host:
index=webserver sourcetype=syslog ERRORS | timechart count by host
This chart produces the correct output, but you want to alter the host names. This is because they are a very long string and you do not need the fully qualified domain. For example:
host1 = machine1-webserverpool1.subdomain.domain.com host2 = machine2-webserverpool2.subdomain.domain.com
Let's assume I want to rename host1 and host2 to be m1pool1 and m2pool2. You can simply add the following replace command before the timechart:
replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host
You must make sure you specify the "in host" at the end, which tells Splunk to replace the values within the host field. The final search would be:
index=webserver sourcetype=syslog ERRORS | replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host | timechart count by host
Alternatively, you could use the rex command in combination with a regex to extract only the portion you want to see. Let's assume I want to completely remove the subdomain and only see the node name. The rex portion might look like:
rex field=host "(?<hostname>.*).subdomain"
The final search would be:
index=webserver sourcetype=syslog ERRORS | rex field=host "(?<hostname>.*).subdomain" | timechart count by host
The output of this search would show counts for machine1-web-serverpool1 and machine2-web-serverpool2.