[feature] Auto translation of Splunk Field (with Special Char) to Tableau supported Field #19

mayurah · 2019-10-11T18:14:44Z

This is looking really good so far. Still having our users test it.
One caveat (not really an issue) is that I found that I needed to rename fields to have the WDC accept them.

Here is the test search I was using:

index=_audit action=search search=* user=* NOT user=splunk-system-user  earliest=-1h 
| rex field=search "index\s*=\s*\"*(?<indexname>[^\s\"]+)"  
| search indexname="*" 
| stats count by indexname user 
| rename count as searches
| stats list(indexname) by user searches

Because "stats list(indexname)" returns with brackets, I needed to modify the search as follows:

| rename list(indexname) as indexname

Not something I would consider an issue, but something for people who are migrating current searches to be aware of.

The text was updated successfully, but these errors were encountered:

mayurah · 2019-10-11T18:31:22Z

Duplicate #15

mayurah added enhancement New feature or request good first issue Good for newcomers labels Oct 11, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[feature] Auto translation of Splunk Field (with Special Char) to Tableau supported Field #19

[feature] Auto translation of Splunk Field (with Special Char) to Tableau supported Field #19

mayurah commented Oct 11, 2019

mayurah commented Oct 11, 2019

[feature] Auto translation of Splunk Field (with Special Char) to Tableau supported Field #19

[feature] Auto translation of Splunk Field (with Special Char) to Tableau supported Field #19

Comments

mayurah commented Oct 11, 2019

mayurah commented Oct 11, 2019