Splunk Search

How to rename unknown field names from inputlookup file

cjohnk
Explorer

I want to merge multiple fields from multiple lookup tables into a single field/column. I only know the name of the field in table1.csv and not the name of the field in the appended table. Unfortunately, the below does not work as rename will not take * by itself. I have no idea what the field name will be in the appended table, though, I will know the table name.

| inputlookup table1.csv
| append [| inputlookup table2.csv | rename * as name]

If table1.csv and table2.csv have the exact field names, then the below works, but that won't be the case in my situation. In my situation, doing so will create two columns and not one merged column.

| inputlookup table1.csv
| append [| inputlookup table2.csv]
0 Karma

vupham
Explorer

you can use the foreach command to run the same command against a wildcarded field list.
so using your example search, it would look something like

| inputlookup table2.csv 
| foreach * 
    [ eval combined_field=mvappend(combined_field,'<<FIELD>>')]
| table combined_field 
| mvexpand combined_field
| inputlookup appent=t table1.csv

you may need to do some more manipulation to get the combined field name the way you want it. Doc on the foreach command linked below.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Foreach

0 Karma

nareshinsvu
Builder

When you just run below command, what is the output?

| inputlookup table2.csv

do you see some column names? If so, you can rename them (to same as table1) and outputlookup to the same file

 |inputlookup table2.csv | rename <output_col1> as <table1_col1>  <output_col2> as <table1_col2>  blah blah | outputlookup table2.csv

And then, you can

 | inputlookup table1.csv
 | append [| inputlookup table2.csv]
0 Karma

cjohnk
Explorer

Running | inputlookup table2.csv gives me a field named "output" with a list of ID's under it. However, I cannot be looking up the field value each time as it will change. I'm creating a dashboard with a basic functionality which is called Merge Lookup Table. A user will enter the name of two tables, one in each input text box, and it should merge the tables into a single column. Everything needs to be done through the input box variables; a user should not need to know the field name.

The below will give me the field name
|inputlookup table2.csv |fieldsummary | fields field

In my dashboard, I changed the table name from above query to the variable from the input box and that also gives me the field name of the table.
|inputlookup $mergedtable$ |fieldsummary | fields field

But I cannot seem to assign the result of that query as a variable or use it in a function such as:
|rename [|inputlookup table2.csv |fieldsummary | fields field] as name

I get the following error:
Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+

I've tried at least 30 different variations of queries and all receive errors or don't combine the two tables into a single column.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...