|
I have a search query that uses a regular expression to place values in a field/variable and then it aggregates values grouping them by the field/variable defined in the regular expression. This works fine, except that the output column names are something like AggregatedValues:GroupedValue, and I cannot rename them to something more user friendly. For example, this is the query: ... | rex field=_raw "type : (?<trxtype>[0-9]+)," | rex field=_raw "execution took (?<executiontime>.*) ms" | timechart span=1h, avg(executionTime) as "Avg Time", count(executionTime) as Trxs by trxType So I can get the average execution time and number of events per transaction type, and Splunk will print something like "Avg Time:SE1" or "Trxs:UP2", where SE1 and UP2 are the transaction types and the colon is placed by Splunk, however, I would like this renamed to something like "Search 1 Average Time", etc. Is this possible? Thanks, Cris. |
Refine your search:
- Apps & Questions
- Apps
- Questions
- Users
- Tags
Markdown Basics
- *italic* or _italic_
- **bold** or __bold__
- link:[text](http://url.com/ "Title")
- image?
- numbered list: 1. Foo 2. Bar
- to add a line break simply add two spaces to where you would like the new line to be.
- basic HTML tags are also supported
Tags:
Asked: 28 Feb '12, 13:51
Seen: 650 times
Last updated: 28 Feb '12, 13:51