Splunk Search

Rename values using transforms.conf

gnovak
Builder

I originally asked this question here:

http://splunk-base.splunk.com/answers/55254/rename-values-extracted-into-field

This was regarding renaming values that were extracted into a field to something different. Example:

-filename=statement.pdf
I'd like statement.pdf to be known as "Scorecard".

The solution before was to use EVAL for this but the issue with that is that using eval will only single out those values you choose to rename in the command itself. It will only display those that were renamed and all other filenames were not listed.

I'm wondering if you can use transforms.conf for this instead. I'd like to have basically a list of where I have something like:


statement.pdf = Scorecard
invoice.pdf = Billing
ImHungry.pdf = Lunch

Anyone have any ideas to throw around with this one? I'm lookinng at transforms.conf in the admin manual but figured I'd also ask this here. I was also told to maybe try lookups.

Tags (1)
0 Karma

sdaniels
Splunk Employee
Splunk Employee

You should try a look up. That way you can have a .csv with the translations. When you do the lookup ( and you can set it up to be automatic ) everytime you access that source of data a new field will be created for you that contains the naming you want to use like Scorecard, Billing etc.

http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups

sdaniels
Splunk Employee
Splunk Employee
0 Karma

gnovak
Builder

I'm going to post this question separate as I followed the example, everything looks ok but still get error. I looked at other questions too and still same thing.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

At the top of your csv file are the field names. So make sure you have those set up with no spaces, then when you get to the final step of creating the automatic lookup you'll define the key field (let's say doctype in your case) and then you'll define the other fields. The example is quite good. You'll see several other answers on here as well with folks running into issues.

Set the lookup to run automatically

  1. Return to the Manager > Lookups view and select Add new for Automatic lookups.

In the Manager > Lookups > Automatic lookups view:

0 Karma

gnovak
Builder

With the lookups, I followed the example but I never get it to work. I got this error [log1.nj.blahblah.blah] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::EPPWEB' and lookup table 'WAT_Lookups'.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...