I have a query that counts by source and leaves me with fields that are named like /logs/containers/3198058471-5mdkn_ef22f06f3462c74029d23d3ef6d5c765ecd41c2f86f796b074ea2e2de83bf4bd.log
.
I would like to rename my fields to whatever comes after /logs/containers/
and before the _
.
I am looking for something like this:
| rename /logs/containers/*_* as *
@maartendhondt
Can you please try this?
YOUR_SEARCH | foreach "/logs/containers/*" [ eval field=mvindex(split("<<MATCHSTR>>","_"),0), {field}='<<FIELD>>' ] | fields - "/logs/containers/*", field
My Sample Search:
| makeresults
| eval "/logs/containers/3198058471-5mdkn_ef22f06f3462c74029d23d3ef6d5c765ecd41c2f86f796b074ea2e2de83bf4bd.log"="aaa"
| foreach "/logs/containers/*" [ eval field=mvindex(split("<<MATCHSTR>>","_"),0), {field}='<<FIELD>>' ] | fields - "/logs/containers/*", field
Thanks
@maartendhondt
Can you please try this?
YOUR_SEARCH | foreach "/logs/containers/*" [ eval field=mvindex(split("<<MATCHSTR>>","_"),0), {field}='<<FIELD>>' ] | fields - "/logs/containers/*", field
My Sample Search:
| makeresults
| eval "/logs/containers/3198058471-5mdkn_ef22f06f3462c74029d23d3ef6d5c765ecd41c2f86f796b074ea2e2de83bf4bd.log"="aaa"
| foreach "/logs/containers/*" [ eval field=mvindex(split("<<MATCHSTR>>","_"),0), {field}='<<FIELD>>' ] | fields - "/logs/containers/*", field
Thanks