Splunk Search

How do I rename a field I don't know the name of or will be different into something I know e.g. X

HattrickNZ
Motivator

How do I rename a field I don't know the name of or will be different into something I know e.g. X??

So, Imagine I have a field name I don't know the name of, and I want to change it to a name I do know. How would I do this?

I was thinking rename * as X

So instead of this output:

Date    How do i rename a field I dont't know the name of or will be different into something I know e.g. X
1   1-Sep   0
2   2-Sep   0

I would have this output, but I don't know the name of the field to change it to X.

Date    X
1   1-Sep   0
2   2-Sep   0

Some sample serch/data:

| makeresults 
 | eval data = "
  1-Sep    0;
  2-Sep    0; 
  " 
 | makemv delim=";" data 
 | mvexpand data 
 | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)" 
 | fields + Date kpi1 | rename kpi1 as "a name with spaces"
 | fields - _time
 | search Date=*
 | rename  "a name with spaces" as "How do i rename a field I dont't know the name of or will be different into something I know e.g. X"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Would something like do work for you?

| gentimes start=-1
| eval data = "
1-Sep    0;
2-Sep    0; 
" 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)" 
| fields + Date kpi1 | rename kpi1 as "a name with spaces"
| fields - _time
| search Date=*
| rename  "a name with spaces" as "How do i rename a field I dont't know the name of or will be different into something I know e.g. X"  | eval X=null()
| foreach * [ eval X=if("<<FIELD>>"!="Date" OR "<<FIELD>>"!="OtherFieldsYouWantToKeep",'<<FIELD>>',X) ] | table Date OtherFieldsYouWantToKeep X
0 Karma

HattrickNZ
Motivator

I could not follow that. But it got me thinknig of something like this

| foreach *X* [ rename '<FIELD>' as Y2]
So lets say I have a field name aXa (I only know it has an X in the middle). Can I change the fieldname to something I know e.g. Y2 ??

0 Karma

HattrickNZ
Motivator

effectively I want Y2 = eval *X* but not sure how to do it.
Y2 the new field that I know the name of
X the field that I partially know the name of

0 Karma

dflodstrom
Builder

If you at least know a regex pattern you can use to extract the field name and value combinations you can use an EXTRACT statement in props, or a combination of props and transforms, to extract your field names and values.

If, for example your events have something like "field=value" you could use (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

Here's an example of a config I've created in props to solve this very issue:
[mysourcetype]
EXTRACT-custom_sourcetype_extract= (?<_KEY_1>[\w\s]+)\:\s?(?<_VAL_1>[^\n]+)

For reference: Regex Field Name Extraction

0 Karma

HattrickNZ
Motivator

tks, but I was hoping to do it in the search not in the config(props and transform), that is if I understand correctly.

but I did try rex but I think I still need to know the fieldname, but good idea to think to use regex to work on the pattern, I will see if i can do anything more with it.

| makeresults 
  | eval data = "
   1-Sep    0;
   2-Sep    0; 
   " 
  | makemv delim=";" data 
  | mvexpand data 
  | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)" 
  | fields + Date kpi1 | rename kpi1 as "a name with spaces"
  | fields - _time
  | search Date=*
  | rename  "a name with spaces" as "kpi1"
  | rex field=kpi1 "(?<host>\d+)"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...