topic Re: Where can we rename the src field? in Splunk Search

Where can we rename the src field?

danielbb — Thu, 22 Aug 2019 16:53:29 GMT

We have the following working query -

(index=wineventlog sourcetype=WinEventLog NOT ("xxxx" OR "yyyy") 
src_ip IN (<mulitple IPs>)) OR (index=checkpoint 
dst IN (<mulitple IPs>) action=Accept ) 
| eval destination_ip = coalesce(<one name>,<second name>) 
| transaction destination_ip maxpause=60s

Both index=wineventlog and index=checkpoint have a src field.

Where can we rename it? because we end up after the transaction command with two srcfields.

Re: Where can we rename the src field?

richgalloway — Thu, 22 Aug 2019 17:55:36 GMT

You can rename the field any time after the first pipe. Of course, that will rename the field from both indexes. To rename only one index, you'll need to split the base query, do the rename, then combine them with append.

Re: Where can we rename the src field?

danielbb — Thu, 22 Aug 2019 18:52:19 GMT

Thank you @richgalloway.

The developer did | eval src-{index} = src which generated the src-wineventlog and src-checkpoint fields. She is happy ; -)

Re: Where can we rename the src field?

richgalloway — Thu, 22 Aug 2019 19:04:44 GMT

If your problem is resolved, please accept the answer to help future readers.