https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569141#M198362 <P>sorry, will have to walk me through the :<BR />[| eval {app}&lt;&lt;FIELD&gt;&gt; = &lt;&lt;FIELD&gt;&gt;]</P><P>what is that doing and how would that handle multiple values for app?</P> Thu, 30 Sep 2021 13:08:07 GMT mcaulsc 2021-09-30T13:08:07Z https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569089#M198342 <P>Hi,</P><P>I have some data which spans multiple systems example below:<BR /><BR />"system" "app" "fld1" "fld2" "fld3"</P><P>sys1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;appA&nbsp; &nbsp;1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0</P><P>sys1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;appA&nbsp; &nbsp;0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0</P><P>sys1&nbsp; &nbsp; &nbsp; &nbsp; appB&nbsp; &nbsp; 0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1</P><P>What I'm trying to do is create a generic dashboard so I would need to rename the fields based on the "app" value. So something similar to:</P><P>when app=="appA" rename "fld1" as "appAfld1",&nbsp; rename "fld2" as "appAfld2"</P><P>when app=="appB" rename "fld1" as "appBfld1"</P><P>Then in a table only show the renamed fields, so a conditional table statement again based on the "app" value.</P><P>Any ideas on how/if that can be achieved?&nbsp; Alternately I just create separate dashboards but a lot of repetition in that so I suspect there is a way to do it.</P><P>Thanks in advance for any ideas.</P> Thu, 30 Sep 2021 09:23:15 GMT https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569089#M198342 mcaulsc 2021-09-30T09:23:15Z https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569092#M198343 <LI-CODE lang="markup">| foreach fld* [| eval {app}&lt;&lt;FIELD&gt;&gt; = &lt;&lt;FIELD&gt;&gt;]</LI-CODE> Thu, 30 Sep 2021 10:00:04 GMT https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569092#M198343 ITWhisperer 2021-09-30T10:00:04Z https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569141#M198362 <P>sorry, will have to walk me through the :<BR />[| eval {app}&lt;&lt;FIELD&gt;&gt; = &lt;&lt;FIELD&gt;&gt;]</P><P>what is that doing and how would that handle multiple values for app?</P> Thu, 30 Sep 2021 13:08:07 GMT https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569141#M198362 mcaulsc 2021-09-30T13:08:07Z https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569221#M198404 <P>The braces around the app uses the value of the field as part of the field name and then the name of the field from&nbsp; the foreach &lt;&lt;FIELD&gt;&gt; is add so {app}&lt;&lt;FIELD&gt;&gt;&nbsp; = &lt;&lt;FIELD&gt;&gt; becomes appAfld1 = fld1 which is what you were after.</P> Thu, 30 Sep 2021 20:12:00 GMT https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569221#M198404 ITWhisperer 2021-09-30T20:12:00Z https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569278#M198413 <P>ah, I see now, thanks for the explanation, I got that working and that will be useful.<BR /><BR />My example was a bit too literal I think where I masked names. What I'm actually after is a complete rename so:<BR /><SPAN>when app=="appA" rename "fld1" as "newname1",&nbsp; rename "fld2" as "newname2",&nbsp; rename "fld3" as "newname11"</SPAN></P> Fri, 01 Oct 2021 07:53:54 GMT https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569278#M198413 mcaulsc 2021-10-01T07:53:54Z https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569282#M198415 <P>so what I really want is something equivalent to&nbsp; IF .... THEN DO</P><P>If app =app1 then Do<BR />&nbsp; &nbsp;rename fld1 as newname1<BR />&nbsp; &nbsp;rename fld2 as newname2<BR />&nbsp; &nbsp;rename field3 as newname11<BR />End<BR />If app =app2 then Do<BR />&nbsp; &nbsp;rename fld1 as newnameA<BR />&nbsp; &nbsp;rename fld2 as newnameB<BR />&nbsp; &nbsp;rename field3 as newnameYY<BR />End</P><P>Hopefully that makes more sense.<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Oct 2021 08:07:40 GMT https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569282#M198415 mcaulsc 2021-10-01T08:07:40Z https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569284#M198416 <P>Flip it the other way around</P><LI-CODE lang="markup">| eval newname1=case(app="app1","newname1",app="app2","newnameA") | eval {newname1}=fld1 | eval newname2=case(app="app1","newname2",app="app2","newnameB") | eval {newname2}=fld2 etc.</LI-CODE> Fri, 01 Oct 2021 08:18:38 GMT https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569284#M198416 ITWhisperer 2021-10-01T08:18:38Z https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569293#M198423 <P>That's it, excellent and I can pull them into a table etc with a generic.<BR />Thanks for the solution and also the explanations.</P> Fri, 01 Oct 2021 09:14:45 GMT https://community.splunk.com/t5/Splunk-Search/Rename-fields-based-on-Token-value/m-p/569293#M198423 mcaulsc 2021-10-01T09:14:45Z