Rename aggregated group by fields with colon separ...

criswebber · ‎02-28-2012

I have a search query that uses a regular expression to place values in a field/variable and then it aggregates values grouping them by the field/variable defined in the regular expression. This works fine, except that the output column names are something like AggregatedValues:GroupedValue, and I cannot rename them to something more user friendly. For example, this is the query:

... | rex field=_raw "type : (?[0-9]+)," | rex field=_raw "execution took (?.*) ms" | timechart span=1h, avg(executionTime) as "Avg Time", count(executionTime) as Trxs by trxType

So I can get the average execution time and number of events per transaction type, and Splunk will print something like "Avg Time:SE1" or "Trxs:UP2", where SE1 and UP2 are the transaction types and the colon is placed by Splunk, however, I would like this renamed to something like "Search 1 Average Time", etc. Is this possible?

Thanks,

Cris.

woodcock · ‎07-04-2015

The rename command does wildcards so you can do something like this:

... | rex field=_raw "type : (?[0-9]+)," | rex field=_raw "execution took (?.*) ms" | timechart span=1h, avg(executionTime) as "Avg Time", count(executionTime) as Trxs by trxType | rename "Avg Time:SE*" AS "Search * Average Time" "Trxs:UP*" AS "Search * Transactions"

Rename aggregated group by fields with colon separator

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio