Solved: How to rename a field name with curly braces by us... - Splunk Community

Splunk Search

Hi

I have several search where I performed renaming. Some of them are done on fied which looks like

xxx.yyy{}.aaa
xxx.yyy{}.bbb
zzz{}.ccc

In the search I do

| rename xxx.yyy{}.aaa as newname1, xxx.yyy{}.bbb as newname2, zzz{}.ccc as newname3

I tried to implement it with field alias configuration but it's doesn't work

Is it possible ?
I don't find any documentation about this specification

PS : my field alias works properly without curly braces

1 Solution

Solution

You can create the Field Alias through the UI using Settings > Fields > Field aliases.
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

View solution in original post

Hi @andrew_nelson

Thanks for the answers. It works now.

It was what I've configured.

I just don't understand why alias without {} has applied instantly and those {} was not visible last week. Now I can see all my alias !

Have a nice day

Solution

You can create the Field Alias through the UI using Settings > Fields > Field aliases.
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...