Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bulk rename of all fields that come from calling "| lookup"?

woodcock
Esteemed Legend
‎07-27-2018 06:41 PM

We have a CMDB lookup that adds 100 fields when we do not specify a limited set with "OUTPUT". More fields are added every now and then. I cannot rename the fields in the file because too many people share this file; it is what it is. Is there a flexible way to rename all fields that are in there that will still work even when new fields are added or old field names change slightly? If I jus.t do an iteration of every field with | rename a AS CMDB_a, | rename b AS CMDB_b ... this will be fragile and break and be a huge blight in the middle of my search. I cannot do | rename * AS CMDB_* because there are many other fields and this search might change to add more non-CMDB fields, too.

Reply
1 Solution
Solved! Jump to solution
Solution

Noah_Woodcock
Path Finder
‎07-27-2018 06:42 PM

Like this:

... | rename * AS _HIDE_ALL_FIELDS_*
| lookup YourLookupDefinitionHere host AS _HIDE_ALL_FIELDS_host
| rename * AS CMDB_*
| rename _HIDE_ALL_FIELDS_* AS *

View solution in original post

Reply
Solved! Jump to solution

Noah_Woodcock
Path Finder
‎07-27-2018 06:43 PM

Like this:

... | lookup YourLookupDefinitionHere host
| rename COMMENT AS "Bulk rename of all fields from this lookup to add prefix 'CMDB_'"
| rename [| inputlookup  YourLookupDefinitionHere
          | head 1
          | foreach * [ eval <<FIELD>> = "CMDB_<<FIELD>>" ]
          | format "" "" "" "" "" ""
| rex field=search mode=sed "s/=/ AS /g"]
Reply
Solved! Jump to solution
Solution

Noah_Woodcock
Path Finder
‎07-27-2018 06:42 PM

Like this:

... | rename * AS _HIDE_ALL_FIELDS_*
| lookup YourLookupDefinitionHere host AS _HIDE_ALL_FIELDS_host
| rename * AS CMDB_*
| rename _HIDE_ALL_FIELDS_* AS *
Reply
Solved! Jump to solution

theady
Engager
‎04-25-2019 11:33 AM

I had issue with this. it seems to take the _* fields as part of the * on the first rename.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-25-2019 09:43 PM

It definitely should not and is a bug if it does.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-11-2020 11:46 PM

Came across this solution and noted the comments about _ fields being renamed and it does appear that it won't work as _ fields are also renamed with *

| makeresults
| eval myField=1
| rename * as HIDE_*
| table *

shows HIDE__time

and in my example

| rename * as _HIDE_ALL_*
| lookup work_status key as _HIDE_ALL_workStatusKey
| rename * as orig_work_status_*
| rename _HIDE_ALL_* as *

 after the second rename, all _HIDE_ fields are now orig_work_status__HIDE_...

which is not the intended outcome - shame - as it was a simple approach.

 

0 Karma
Reply
Solved! Jump to solution

davewood
Explorer
‎05-19-2021 05:05 AM

It seems the rename command changed behaviour somewhere along the way and now, as you noted, * matches _ fields too.

You can still use the same method though with a tweak to the final rename:

| rename * as _HIDE_ALL_*
| lookup work_status key as _HIDE_ALL_workStatusKey
| rename * as orig_work_status_*
| rename orig_work_status__HIDE_ALL_* as *

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...