How i can rename the field output value in splunk...

hrs2019 · ‎01-14-2020

how i can rename the field output value in splunk.

below is the screen short
i want to RENAME

PPN | V0.2019 |2456 TO PPN | v0.1342 |2546

want to do changes in project update field and number of users side field for PPN client.

dindu · ‎01-14-2020

Hi,
You could use the eval command to achieve this.
I assume the values are hardcoded as in the question.

Please try and let us know.

 |your_search
 |eval  "Project Update"=if(Clients="PPN","v0.1342",'Project Update')
 |eval  "Number of users"=if(Clients="PPN","2546",'Number of users')
 |table Clients,"Project Update","Number of users"

hrs2019 · ‎01-14-2020

Thanks @dindu no it is not hardcoded it is changing but i want to rename this time by manual.

to4kawa · ‎01-14-2020

what's v0.1342?
are you goiog to copy client PPN's values to CNB?

...
| eval "Project Update"=if(Client="CNB","v0.1342",'Project Update')
| eval "Number of users"=if(Client="CNB",2546,'Number of user')

If you want to change the field values, that's it.

hrs2019 · ‎01-14-2020

sorry @to4kawa i have corrected the question it is PPN not CNB and v0.1342 is kind of version (updates)

How i can rename the field output value in splunk.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms