How To Rename Field(Column) Names Dynamically In Splunk

How To Rename Field(Column) Names Dynamically In Splunk

Hi Guys !!
Hope you are enjoying the blog posts. Today we have come with a new magic trick of Splunk which you had never seen before. Have you ever thought of renaming the names of the fields(columns) dynamically ?? Today we will show you how to do it.

See the below query at first :

index=_internal sourcetype=splunkd_ui_access 
| bin span=1mon@mon _time 
| stats count by _time 
| eval last_month=relative_time(now(),"-1mon@mon") 
| eval present_month=relative_time(now(),"-0mon@mon") 
| eval last_month_count=if('_time'=last_month,count,NULL) 
| eval present_month_count=if('_time'=present_month,count,NULL) 
| fields - _time,last_month,present_month,count 
| fillnull

1

11

Here in the above query, we have matched the data based upon the time basis. Also, we have taken the relative time based upon the present time using relative_time function with eval command. Also, written some conditions to match the data based upon the relative time using if function with eval command. We are getting the data based upon the condition. It is correct but the client wants to see related Months names in the column along with their count. We can rename the field names easily right. But the problem is how to change the field names dynamically. If you use the rename command you have to hard-code the values. See the below steps to achieve this requirement.

Step 1:
At first, take the month portion of the relative months. We have used the strftime function with the eval command to take the Month Portions of the relative months. After that using ” .” operator, we have concatenated the “_month_count” portion with the data. Now also the problem is that how to make these values as a column header.

index=_internal sourcetype=splunkd_ui_access 
| bin span=1mon@mon _time 
| stats count by _time 
| eval last_month=relative_time(now(),"-1mon@mon") 
| eval present_month=relative_time(now(),"-0mon@mon") 
| eval last_month_count=if('_time'=last_month,count,NULL) 
| eval present_month_count=if('_time'=present_month,count,NULL) 
| fields - _time,last_month,present_month,count 
| fillnull 
| eval Last_Month_Name=strftime(relative_time(now(),"-1mon@mon"),"%B")."_month_count" 
| eval Present_Month_Name=strftime(relative_time(now(),"-0mon@mon"),"%B")."_month_count"

20
21

Step 2:
Now it’s time to reveal the secret of the trick. You have to use {} with the eval command to rename the existing fields. Show it’s like a calling function in the data. Now see the result the values have come to the header portion and also we are getting the data of that related months. See we didn’t hard-code any data all the values are coming dynamically.

index=_internal sourcetype=splunkd_ui_access 
| bin span=1mon@mon _time 
| stats count by _time 
| eval last_month=relative_time(now(),"-1mon@mon") 
| eval present_month=relative_time(now(),"-0mon@mon") 
| eval last_month_count=if('_time'=last_month,count,NULL) 
| eval present_month_count=if('_time'=present_month,count,NULL) 
| fields - _time,last_month,present_month,count 
| fillnull 
| eval Last_Month_Name=strftime(relative_time(now(),"-1mon@mon"),"%B")."_month_count" 
| eval Present_Month_Name=strftime(relative_time(now(),"-0mon@mon"),"%B")."_month_count" 
| eval {Last_Month_Name}=last_month_count 
| eval {Present_Month_Name}=present_month_count

2

3

Step 3:
We have used the fields command to remove the unwanted fields from the result set. Now as you can see the header names of the fields. It is coming dynamically.

index=_internal sourcetype=splunkd_ui_access 
| bin span=1mon@mon _time 
| stats count by _time 
| eval last_month=relative_time(now(),"-1mon@mon") 
| eval present_month=relative_time(now(),"-0mon@mon") 
| eval last_month_count=if('_time'=last_month,count,NULL) 
| eval present_month_count=if('_time'=present_month,count,NULL) 
| fields - _time,last_month,present_month,count 
| fillnull 
| eval Last_Month_Name=strftime(relative_time(now(),"-1mon@mon"),"%B")."_month_count" 
| eval Present_Month_Name=strftime(relative_time(now(),"-0mon@mon"),"%B")."_month_count" 
| eval {Last_Month_Name}=last_month_count 
| eval {Present_Month_Name}=present_month_count 
| fields - Last_Month_Name,Present_Month_Name,present_month_count,last_month_count

4

5

Hope this trick will help you in the future if you get this type of requirement from the clients.
Happy Splunking !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.