topic Re: Rename multiple fields to the same name using a * or a generic character, so it can be done on mass. in Splunk Search

Rename multiple fields to the same name using a * or a generic character, so it can be done on mass.

robertlynch2020 — Tue, 29 Sep 2020 07:46:39 GMT

Rename multiple fields to the same name using a * or a generic character. MY data set is producing a lot of data that can fit into the same name. The issues is renaming all of them could take along time.

The way i want to do it (using the * - rename "max(XML_PARSE): STAR" as XML_PARSE )
index=mlc_test sourcetype=LAS source=LAS.log MSG_TYPE=* | timechart span=10s max(IN_TRANS), max(XML_PARSE), max(HANDLER) by MSG_TYPE | rename "max(XML_PARSE): *" as XML_PARSE

However this does not work,

The Long Way [So i want to replace CONTRACT and DRAFT and XXX + YYY with STAR]
index=mlc_test sourcetype=LAS source=LAS.log MSG_TYPE=* | timechart span=10s max(IN_TRANS), max(XML_PARSE), max(HANDLER) by MSG_TYPE | rename "max(XML_PARSE): CONTRACT" as XML_PARSE | rename "max(XML_PARSE): DRAFT" as XML_PARSE

Re: Rename multiple fields to the same name using a * or a generic character, so it can be done on mass.

sundareshr — Tue, 29 Sep 2020 07:49:47 GMT

If you rename the way you are looking to rename, you will lose the grouping by msg_type. Why not just not group by msg_type? In other words modify your search to

index=mlc_test sourcetype=LAS source=LAS.log MSG_TYPE=* | timechart span=10s max(IN_TRANS) as in_trans, max(XML_PARSE) as xml_parse, max(HANDLER) as handler

Re: Rename multiple fields to the same name using a * or a generic character, so it can be done on mass.

jeremiahc4 — Tue, 10 Nov 2015 20:16:41 GMT

I've got the same problem where there are multiple fields which contain basically the same information, i.e. responseTime, but they are named differently for their business function. I don't want to hardcode 20 different renames, but rather have just one, but rename expects an asterisk on both sides of the AS and you still wind up with 20 different names. Coalesce isn't the answer either as I tried that and it has an entirely different behavior (creation of a MV field?)

Re: Rename multiple fields to the same name using a * or a generic character, so it can be done on mass.

jeremiahc4 — Tue, 10 Nov 2015 20:19:21 GMT

I see replace does what I'm looking for inside the field (i.e. the values). I need something like that for the key or field name.

Re: Rename multiple fields to the same name using a * or a generic character, so it can be done on mass.

sundareshr — Tue, 10 Nov 2015 20:27:25 GMT

Have you looked at field alias http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addaliasestofields