How to rename a field that was recently extracted?

UsualSuspect7 · ‎07-28-2016

I recently extracted a few fields such as GBPS and now I would like to rename this particular field Bps.

Thank You, Anthony

skoelpin · ‎07-28-2016

Go to the settings at the top left of your Splunk GUI

Settings>Fields>Field Extractions

Find the field GBPS and click it. Then you will be shown a regular expression, the name will be inside the < and >..

Example

(?P<GBPS>\w+) will be changed to (?P<Bps>\w+)

Jeremiah · ‎07-28-2016

If you just need to rename a field in a search, use the rename command:

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Rename

... | rename GBPS AS Bps

If you want to permanently rename the field, you can edit the extraction and change the name. Search time field extractions are just that, they run at search time. So once you fix the field extraction, any subsequent searches will use the new field name for all of your data.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions
http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Createandmaintainsearch-timefieldextract...

If for some reason you need to keep both the old name and the new name, you can create a field alias instead.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Addaliasestofields

How to rename a field that was recently extracted?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life