Splunk Search

Is there a way to set a field alias at search time?

knutsod
Path Finder

Is there a way to set a Field Alias as search time, I am building a report looking at Windows Event IDs, In this case I want to know if the User or The User_Name field are = to something. This would be simple with an OR but I am using an inputlookup sub search to get the list of users from a CSV.

Tags (3)
1 Solution

okrabbe
Explorer

Yes, there is the rename command

mysearch | rename User as user User_Name as user

One other option is to use coalesce with an eval

mysearch | eval user=coalesce(User, User_Name)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You can handle that in subsearch query itself.
e.g. |inputlookup yourlookup.csv | eval User=User_Name | table User, User_Name | format "(" "(" "OR" ")" "OR" ")"

0 Karma

okrabbe
Explorer

Yes, there is the rename command

mysearch | rename User as user User_Name as user

One other option is to use coalesce with an eval

mysearch | eval user=coalesce(User, User_Name)

landen99
Motivator

rename replaces the target field, even if there was something there before, if it appears consecutively like this:

mysearch | rename User as user | rename User_Name as user

rename only coalesces if it appears for both fields within the same pipe like this:

mysearch | rename User as user User_Name as user
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...