https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424374#M121716 <P>effectively I want <CODE>Y2 = eval *X*</CODE> but not sure how to do it.<BR /> Y2 the new field that I know the name of <BR /> <EM>X</EM> the field that I partially know the name of</P> Wed, 30 Jan 2019 21:47:20 GMT HattrickNZ 2019-01-30T21:47:20Z https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424369#M121711 <P>How do I rename a field I don't know the name of or will be different into something I know e.g. X??</P> <P>So, Imagine I have a field name I don't know the name of, and I want to change it to a name I do know. How would I do this? </P> <P>I was thinking rename * as X</P> <P>So instead of this output:</P> <PRE><CODE>Date How do i rename a field I dont't know the name of or will be different into something I know e.g. X 1 1-Sep 0 2 2-Sep 0 </CODE></PRE> <P>I would have this output, but I don't know the name of the field to change it to X.</P> <PRE><CODE>Date X 1 1-Sep 0 2 2-Sep 0 </CODE></PRE> <P>Some sample serch/data: </P> <PRE><CODE>| makeresults | eval data = " 1-Sep 0; 2-Sep 0; " | makemv delim=";" data | mvexpand data | rex field=data "(?&lt;Date&gt;\d+-\w+)\s+(?&lt;kpi1&gt;\d+)" | fields + Date kpi1 | rename kpi1 as "a name with spaces" | fields - _time | search Date=* | rename "a name with spaces" as "How do i rename a field I dont't know the name of or will be different into something I know e.g. X" </CODE></PRE> Thu, 24 Jan 2019 22:14:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424369#M121711 HattrickNZ 2019-01-24T22:14:59Z https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424370#M121712 <P>If you at least know a regex pattern you can use to extract the field name and value combinations you can use an EXTRACT statement in props, or a combination of props and transforms, to extract your field names and values.</P> <P>If, for example your events have something like "field=value" you could use <CODE>(?&lt;_KEY_1&gt;[a-z]+)=(?&lt;_VAL_1&gt;[a-z]+)</CODE></P> <P>Here's an example of a config I've created in props to solve this very issue:<BR /> <CODE>[mysourcetype]<BR /> EXTRACT-custom_sourcetype_extract= (?&lt;_KEY_1&gt;[\w\s]+)\:\s?(?&lt;_VAL_1&gt;[^\n]+)<BR /> </CODE></P> <P>For reference: <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction#Add_a_regex_stanza_for_the_new_field_to_transforms.conf">Regex Field Name Extraction</A></P> Thu, 24 Jan 2019 22:34:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424370#M121712 dflodstrom 2019-01-24T22:34:44Z https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424371#M121713 <P>tks, but I was hoping to do it in the search not in the config(props and transform), that is if I understand correctly.</P> <P>but I did try rex but I think I still need to know the fieldname, but good idea to think to use regex to work on the pattern, I will see if i can do anything more with it. </P> <PRE><CODE>| makeresults | eval data = " 1-Sep 0; 2-Sep 0; " | makemv delim=";" data | mvexpand data | rex field=data "(?&lt;Date&gt;\d+-\w+)\s+(?&lt;kpi1&gt;\d+)" | fields + Date kpi1 | rename kpi1 as "a name with spaces" | fields - _time | search Date=* | rename "a name with spaces" as "kpi1" | rex field=kpi1 "(?&lt;host&gt;\d+)" </CODE></PRE> Fri, 25 Jan 2019 01:44:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424371#M121713 HattrickNZ 2019-01-25T01:44:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424372#M121714 <P>Would something like do work for you?</P> <PRE><CODE>| gentimes start=-1 | eval data = " 1-Sep 0; 2-Sep 0; " | makemv delim=";" data | mvexpand data | rex field=data "(?&lt;Date&gt;\d+-\w+)\s+(?&lt;kpi1&gt;\d+)" | fields + Date kpi1 | rename kpi1 as "a name with spaces" | fields - _time | search Date=* | rename "a name with spaces" as "How do i rename a field I dont't know the name of or will be different into something I know e.g. X" | eval X=null() | foreach * [ eval X=if("&lt;&lt;FIELD&gt;&gt;"!="Date" OR "&lt;&lt;FIELD&gt;&gt;"!="OtherFieldsYouWantToKeep",'&lt;&lt;FIELD&gt;&gt;',X) ] | table Date OtherFieldsYouWantToKeep X </CODE></PRE> Fri, 25 Jan 2019 02:09:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424372#M121714 somesoni2 2019-01-25T02:09:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424373#M121715 <P>I could not follow that. But it got me thinknig of something like this </P> <P><CODE>| foreach *X* [ rename '&lt;FIELD&gt;' as Y2]</CODE><BR /> So lets say I have a field name <CODE>aXa</CODE> (I only know it has an X in the middle). Can I change the fieldname to something I know e.g. <CODE>Y2</CODE> ??</P> Wed, 30 Jan 2019 21:43:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424373#M121715 HattrickNZ 2019-01-30T21:43:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424374#M121716 <P>effectively I want <CODE>Y2 = eval *X*</CODE> but not sure how to do it.<BR /> Y2 the new field that I know the name of <BR /> <EM>X</EM> the field that I partially know the name of</P> Wed, 30 Jan 2019 21:47:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-a-field-I-don-t-know-the-name-of-or-will-be/m-p/424374#M121716 HattrickNZ 2019-01-30T21:47:20Z