topic Re: Is there any way of taking the field name in an event and using the lookup renaming it to what is found in the looku in Splunk Search

Is there any way of taking the field name in an event and using the lookup renaming it to what is found in the lookup?

jwhughes58 — Fri, 09 Sep 2022 17:06:19 GMT

I'm working with the "Jira Issue Input Add-on" and in Jira we have created custom fields. Splunk ingests issues and the custom field data looks like this

customfield_10101: SA-1017 customfield_10107: 3 customfield_25402: [ [+] ] customfield_25426: [ [+] ] customfield_25427: { [+] }

There are 1,049 custom fields. I would like to use the names for the custom fields and have created a csv file with this

customfield_custom_field_number,custom_field_name customfield_10000,Request participants ... customfield_27904,Target Date

I'm trying to avoid having all the renames in props.conf. Is there any way of taking the field name in an event and using the lookup renaming it to what is found in the lookup?

Re: Is there any way of taking the field name in an event and using the lookup renaming it to what is found in the looku

yuanliu — Fri, 09 Sep 2022 17:23:24 GMT

You don't have. to rename; in fact better avoid renaming in props.conf. The answer is keyword AS. Excerpt from lookup:

The required syntax is in bold.
lookup
[local=<bool>] [update=<bool>]
<lookup-table-name> ( <lookup-field> [AS <event-field>] )...
[ OUTPUT | OUTPUTNEW (<lookup-destfield> [AS <event-destfield>] )... ]
Note: The lookup command can accept multiple lookup and event fields and destfields. For example:
...| lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUTNEW <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>