https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251779#M189316 <P>Any pattern in the event which shows the Browser names OR any pattern in the value using which those events could be filtered out? Probably one sample event of user and browser would help understand the problem better.</P> Mon, 11 Jul 2016 16:07:10 GMT somesoni2 2016-07-11T16:07:10Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251775#M189312 <P>Hello, </P> <P>I'm trying to get a clearer picture of data from our Okta application however two pieces of information have the exact same field. Is there a way to change this? </P> <P>So the example here is we are searching for all users and we want just a list of their names. The search query below is what we use to find it, however it drags a brower name too. </P> <P>source=okta:event actors{}.displayName=*</P> <P>exampleUser<BR /><BR /> exampleBrowser</P> <P>When that query is returned, it provides us with the name of the user which is what we want but also displays the browser they used. </P> <P>Just to be clear, the browser information isn't tied to the one field and just appears at the end. There are just two identical fields called actors{}.displayName, one displays a browser the other a name.</P> Mon, 11 Jul 2016 15:50:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251775#M189312 stegray93 2016-07-11T15:50:35Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251776#M189313 <P>Try this</P> <PRE><CODE>source=okta:event actors{}.displayName=* | eval "actors{}.displayName"=mvindex('actors{}.displayName',0) </CODE></PRE> <P><STRONG>Updated Answer</STRONG> based on sample event.</P> <P>Give this a try</P> <PRE><CODE> source=okta:event actors{}.displayName=* actors{}.objectType=User </CODE></PRE> Mon, 11 Jul 2016 15:54:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251776#M189313 somesoni2 2016-07-11T15:54:38Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251777#M189314 <P>Hi stegray93,</P> <P>I believe that you could use <CODE>expression regular</CODE> for extract this information. Do you can send the some samples of data for help you ?</P> Mon, 11 Jul 2016 15:57:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251777#M189314 rafamss 2016-07-11T15:57:15Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251778#M189315 <P>That didn't work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> still showing the browser information. We originally tried a NOT command with an AND that didn't seem to like it either. </P> Mon, 11 Jul 2016 16:04:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251778#M189315 stegray93 2016-07-11T16:04:30Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251779#M189316 <P>Any pattern in the event which shows the Browser names OR any pattern in the value using which those events could be filtered out? Probably one sample event of user and browser would help understand the problem better.</P> Mon, 11 Jul 2016 16:07:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251779#M189316 somesoni2 2016-07-11T16:07:10Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251780#M189317 <P>Please see below a standard sample event. Let me know if you need more. </P> <P>{ [-] <BR /> action: { [+] <BR /> }<BR /><BR /> <STRONG>actors</STRONG>: [ [-] <BR /> { [-] <BR /> <STRONG>displayName: Example</STRONG> <BR /> id: 00u10rdjtruAa5Qbf0x7<BR /><BR /> login: <A href="mailto:example@flexerasoftware.com">example@flexerasoftware.com</A><BR /><BR /> objectType: User<BR /><BR /> } <BR /> { [-] <BR /> <STRONG>displayName: CHROME</STRONG><BR /><BR /> id: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36<BR /><BR /> ipAddress: 50.233.14.1<BR /><BR /> objectType: Client<BR /><BR /> }<BR /><BR /> ]<BR /><BR /> eventId: tevs4oEpigaRlS8BgQGODiMig1468252444000<BR /><BR /> published: 2016-07-11T15:54:04.000Z<BR /><BR /> requestId: V4PBG-P59xfVa7HBAKck6wAABUU<BR /><BR /> sessionId: 1018VGvLCuXQ6CcHoC9rltHmg<BR /><BR /> targets: [ [+] <BR /> ] </P> Mon, 11 Jul 2016 16:18:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251780#M189317 stegray93 2016-07-11T16:18:10Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251781#M189318 <P>Try the updated answers.</P> Mon, 11 Jul 2016 16:20:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251781#M189318 somesoni2 2016-07-11T16:20:25Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251782#M189319 <P>Still didn't work. When I stat them up Chrome, IE11 and FireFox are still the top 3. It's strange as it generates it as if they were their own user, then when applying the NOT to the search string for CHROME then it removes anyone who's logged in using CHROME. </P> Mon, 11 Jul 2016 16:28:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251782#M189319 stegray93 2016-07-11T16:28:23Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251783#M189320 <P>Hi below is the sample event. Parts in bold are the parts I am referring too.</P> <P>{ [-] <BR /> action: { [+] <BR /> } <BR /> <STRONG>actors</STRONG>: [ [-] <BR /> { [-] <BR /> <STRONG>displayName</STRONG>: Example <BR /> id: 00u10rdjtruAa5Qbf0x7 <BR /> login: <A href="mailto:example@flexerasoftware.com">example@flexerasoftware.com</A> <BR /> objectType: User <BR /> } <BR /> { [-] <BR /> <STRONG>displayName</STRONG>: CHROME <BR /> id: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 <BR /> ipAddress: 50.233.14.1 <BR /> objectType: Client <BR /> } <BR /> ] <BR /> eventId: tevs4oEpigaRlS8BgQGODiMig1468252444000 <BR /> published: 2016-07-11T15:54:04.000Z <BR /> requestId: V4PBG-P59xfVa7HBAKck6wAABUU <BR /> sessionId: 1018VGvLCuXQ6CcHoC9rltHmg <BR /> targets: [ [+] <BR /> ] </P> Mon, 11 Jul 2016 16:30:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251783#M189320 stegray93 2016-07-11T16:30:52Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251784#M189321 <P>Would you be able to provide some screenshot on how the events look like upon runnign the updated query?</P> Mon, 11 Jul 2016 16:43:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251784#M189321 somesoni2 2016-07-11T16:43:42Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251785#M189322 <P>Might sound like a silly question but how do I upload an image into here? </P> Tue, 12 Jul 2016 08:51:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251785#M189322 stegray93 2016-07-12T08:51:04Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251786#M189323 <P>You can upload the image to a site like <A href="https://postimage.org/">https://postimage.org/</A> and post the URL here.</P> Tue, 12 Jul 2016 14:11:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251786#M189323 somesoni2 2016-07-12T14:11:35Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251787#M189324 <P>Both fields is inside of a same node of json, or not? The content of first field displayName have a fixed size? Because if the first field have the fixed size (7 bytes), could you use this regex: <CODE>(displayName:\s[A-Z]{6})</CODE></P> Mon, 18 Jul 2016 23:11:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-name/m-p/251787#M189324 rafamss 2016-07-18T23:11:51Z