Solved: Re: help to rename automatically random pie label

jip31 · ‎07-18-2019

Hi

I use the search below

[| inputlookup host.csv 
    | table host] index="x" sourcetype="x"
| bucket _time span=3m 
| where process_cpu_used_percent>80 
| dedup host process_name 
| stats count(host) as Total by process_name 
| sort -Total limit=10

process_name correspond to a piece of my pie chart and can be different at each times
I search an solution to rename automatically the process_name because one of them are not explicit
example : I have a process_name called "mfevtp" which correspond to McAFEE
So I want to display "McAFEE" in my label instead "mfevtp"
How to do this please?
thanks
regards

vnravikumar · ‎07-22-2019

Hi

Try this

...<your query>| eval process_name = if(like(process_name,"mfetvtp%"),"McAFEE",process_name)

View solution in original post

vnravikumar · ‎07-22-2019

Hi

Try this

...<your query>| eval process_name = if(like(process_name,"mfetvtp%"),"McAFEE",process_name)

jip31 · ‎07-22-2019

hi it seems to be ok!
last question, I have a lot of process name
so how to concatene them in if like??

vnravikumar · ‎07-22-2019

Hi

Try like

| eval process_name = case(like(process_name,"mfetvtp%"),"McAFEE",like(process_name,"abc%"),"ABC",1=1,process_name)

keep1=1 in your query, if none of the condition was matched it will return the value.

If its fine, please accept the answer.

jip31 · ‎07-22-2019

many thanks

jip31 · ‎07-22-2019

My case eval works but sometimes I need to use *

`| eval process_name=case(process_name=="mfevtps*")
But when I am doing * I have no results
How to use * in my case eavl please?

jitendragupta · ‎07-18-2019

What does this query give you? ->
index="x" sourcetype="x" | table process_name | dedup process_name

The only output of this query comes as a label in your pie chart.
I am not sure whether aliasing is there or not in Splunk. You can try this manual process:

 [| inputlookup host.csv 
     | table host] index="x" sourcetype="x"
 | bucket _time span=3m 
 | where process_cpu_used_percent>80 
 | dedup host process_name 
 | stats count(host) as Total by process_name 
 | sort -Total limit=10) | eval process_name=if(process_name="mfevtp","McAFEE ",process_name)

jip31 · ‎07-19-2019

thanks it works but sometimes I have not the exact name for the process name
and if I do eval process_name=if(process_name="mfevtp*","McAFEE ",process_name) it doesnt works
an idea please??

jitendragupta · ‎07-19-2019

If u know all possible values of the process_name, add them together in a case statement.

jip31 · ‎07-19-2019

yes but my question is why I can use *
sometime a process name can be named "mfetvtp1" or "mfevtp2"
But both have to be called McAFEE
So why I can do process_name="mfevtp*"??

help to rename automatically random pie label

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...