Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I rename field name with dollar and curly braces in name?

ReddySk
Engager
‎10-04-2018 07:43 AM

Hello,

I would like to ask you how to rename field name like "${http.headers.ClientSide}".

Such names are generated by Axway API GW into audit log.

Searching and filtering is working when i use backslahes:

index="axway"  source="group-6_instance-9.log"| spath "customMsgAtts.\$\{http.headers.ClientSide\}" | search "customMsgAtts.\$\{http.headers.ClientSide\}"="165.72.31.104"

but renaming does nothing:

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.\$\{http.headers.ClientSide\} as "ClientSide"

I have tried also various codes: 

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.${http.headers.ClientSide} as "ClientSide"

and

index="axway"  source="group-6_instance-9.log" | rename "customMsgAtts.\$\{http.headers.ClientSide\}" as "ClientSide"

with no result.

Any hint what I am doing wrong?

Source data:

{ correlationId:    4b22b65b1133c88ed95c0591       
  customMsgAtts: {      
    ${http.headers.ClientSide}: 165.72.31.104
    http.destination.host: localhost    
    service.name: Healthcheck       }       
  duration: 2       
  legs: [   [+]     ]      
path: /healthcheck/  
  protocol: https       
  protocolSrc: 48065       
  serviceContexts: [    [+]     ]      
  status: success       
  time: 1538662987857       
  type: transaction 
}

Thanks in advance
Reddy

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-17-2018 06:04 AM

@ReddySk

I think your search should work.

Can you please try below search to filter data?

| makeresults | eval _raw="{\"correlationId\":\"4b22b65b1133c88ed95c0591\",\"customMsgAtts\": { \"${http.headers.ClientSide}\" : \"165.72.31.104\",\"service.name\":\"Healthcheck\"}}" | kv | rename "customMsgAtts.${http.headers.ClientSide}" as ClientSide

Please provide your event with sample data so I can help more.

0 Karma
Reply

sudosplunk
Motivator
‎10-17-2018 05:19 AM

Hi,

Can you try below search. This search extracts the ip address in ${http.headers.ClientSide} field with new field name ClientSide

 index="axway"  source="group-6_instance-9.log" | rex field=_raw "ClientSide\}\:\s(?<ClientSide>[\d\.]+)" | table ClinetSide
0 Karma
Reply

harishalipaka
Motivator
‎10-04-2018 12:12 PM

@ReddySk

Or else try like this..

| makeresults | eval hari="${http.headers.ClientSide}" | transpose | replace "${http.headers.ClientSide}" with "newname" |transpose
Thanks
Harish
0 Karma
Reply

ReddySk
Engager
‎10-17-2018 05:22 AM

Hi Hari, i tried that but the value of field hari is not substituted, just it is the string "${http.headers.ClientSide}"

0 Karma
Reply

Vijeta
Influencer
‎10-04-2018 11:30 AM

Have you tried-

rename  "customMsgAtts.${http.headers.ClientSide}" as ClientSide
0 Karma
Reply

ReddySk
Engager
‎10-17-2018 05:03 AM

Hello, this doesn't work unfortunately.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...