https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381201#M111518 <P>There's a possibility of doing this by <CODE>rex</CODE>. Can you provide some sample events?</P> Tue, 31 Jul 2018 18:34:44 GMT sudosplunk 2018-07-31T18:34:44Z https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381200#M111517 <P>Basically I have a bunch of fields that are coming in foo.date.blah, where date is dynamic and the foo and blah are static.</P> <P>I want to basically just coalesce or bulk rename these all into a field labeled foo.blah.</P> Tue, 31 Jul 2018 17:20:28 GMT https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381200#M111517 Cuyose 2018-07-31T17:20:28Z https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381201#M111518 <P>There's a possibility of doing this by <CODE>rex</CODE>. Can you provide some sample events?</P> Tue, 31 Jul 2018 18:34:44 GMT https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381201#M111518 sudosplunk 2018-07-31T18:34:44Z https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381202#M111519 <P>@Cuyose some sample field names and their values per event would help us assist you better.<BR /> Why you need <CODE>coalesce()</CODE>? What if multiple date fields are not null but are different? </P> Tue, 31 Jul 2018 19:51:35 GMT https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381202#M111519 niketn 2018-07-31T19:51:35Z https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381203#M111520 <P>Give this a try</P> <PRE><CODE>Your current search giving all fool.&lt;date&gt;.blah type fields | eval "foo.blah"=null() | foreach foo.*.blah [| eval "foo.blah"=coalesce('&lt;&lt;FIELD&gt;&gt;','foo.blah')] </CODE></PRE> <P>See this runanywhere sample (instead of dates I used numbers but should work the same way for dates)</P> <PRE><CODE>| gentimes start=-1 | eval "foo.12.blah"=1 | table foo* | append [| gentimes start=-1 | eval "foo.13.blah"=2 | table foo*] | append [| gentimes start=-1 | eval "foo.14.blah"=3 | table foo*] | eval "foo.blah"=null() | foreach foo.*.blah [| eval "foo.blah"=coalesce('&lt;&lt;FIELD&gt;&gt;','foo.blah')] </CODE></PRE> Tue, 31 Jul 2018 20:26:06 GMT https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381203#M111520 somesoni2 2018-07-31T20:26:06Z https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381204#M111521 <P>For whatever reason, this still is not working. Your example works, however replacing verbatim the foo and bar sections with my own data fails to parse out the information.</P> Tue, 31 Jul 2018 21:22:37 GMT https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381204#M111521 Cuyose 2018-07-31T21:22:37Z https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381205#M111522 <P>The field names are as follows<BR /> codeDropUploadMap.20180828..qcTickets<BR /> codeDropUploadMap.20180711..qcTickets<BR /> codeDropUploadMap.20180804..qcTickets<BR /> etc.</P> <P>The data contained within is a comma delimited string of id's. each row only has values for one of the columns, if any.</P> <P>I used your format to do something similar with another field and it worked fine. I think it might have to do with the data within?</P> Wed, 01 Aug 2018 14:48:34 GMT https://community.splunk.com/t5/Splunk-Search/Bulk-rename-fields-by-regex-pattern/m-p/381205#M111522 Cuyose 2018-08-01T14:48:34Z