Solved: How to rename an operation field which is being co...

Anu1184 · ‎07-29-2023

I am retrieving operation details like operation name, total time etc from json message log coming as a part of splunk search event. I want to have a custom name of the operation which was extracted from json data.

Current Result:-

Operation	Total time
PREDICT: A1: B1: C1	100
PREDICT: A2: B2: C2	200
PREDICT: A3: B3: C3	300
PREDICT: A4: B4: C4	400

Expected Result:-

Operation	Total time
Service_A1	100
Service_A2	200
Service_A3	300
Service_A4	400

gcusello · ‎07-29-2023

Hi @Anu1184,

if the expected values for OPeration are in a limitated and fixed number of values, you can use eval case to rename them at the end of your search:

| eval Operation=case(Operation="PREDICT: A1: B1: C1","Service_A1", Operation="PREDICT: A2: B2: C2","Service_A2", Operation="PREDICT: A3: B3: C3", "Service_A3", Operation="PREDICT: A4: B4: C4","Service_A4")

Ciao.

Giuseppe

View solution in original post

Anu1184 · ‎07-29-2023

Thank You!!

gcusello · ‎07-29-2023

Hi @Anu1184,

if the expected values for OPeration are in a limitated and fixed number of values, you can use eval case to rename them at the end of your search:

| eval Operation=case(Operation="PREDICT: A1: B1: C1","Service_A1", Operation="PREDICT: A2: B2: C2","Service_A2", Operation="PREDICT: A3: B3: C3", "Service_A3", Operation="PREDICT: A4: B4: C4","Service_A4")

Ciao.

Giuseppe

How to rename an operation field which is being computed from json (message log)?

fields

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector