topic Re: Rename values extracted into field in Splunk Search

Rename values extracted into field

gnovak — Tue, 07 Aug 2012 20:58:43 GMT

Can you rename values extracted into fields?

Example - Here is a field i have called "filename" and some examples of values that were extracted.

filename=statement.pdf
filename=invoice.pdf
filename=invoice.html

Can I rename (or trick) these values from the field filename to show up in a chart or table as:

statement.pdf ====> Billing Statement
invoice.pdf ===> Billing Invoice
invoice.html ===> Drilldown Invoice

I was looking at eval but so far haven't figured anything out yet.

Re: Rename values extracted into field

splunk_gs — Thu, 09 Aug 2012 19:32:39 GMT

use eval
for example...

search whatever | eval Actual = case(filename = "statement.pdf","Billing Statement",filename = " invoice.pdf","Billing Invoice", filename = "invoice.html","Drilldown Invoice")

Re: Rename values extracted into field

splunk_gs — Thu, 09 Aug 2012 19:46:48 GMT

haha yup eval can be used with just about anything...you can dig deeper by surrounding the eval with a coalesce for unknown values like coalesce(case(...),"unknown") and that will replace unknown definitions as "unknown"

Re: Rename values extracted into field

gnovak — Thu, 09 Aug 2012 20:19:37 GMT

filename="-.pdf","Scorecard" is what I have at the end. I'm wondering if it's because of how it's defined earlier in the search with the NOT command?

Re: Rename values extracted into field

gnovak — Mon, 28 Sep 2020 12:14:09 GMT

For some reason Scorecard won't show up w/ this search. sourcetype="EPPWEB" source="/opt/log//web_server/info.log" WAT | rex field=_raw "USER (?P[\d+-\w\w]) downloading ./(?.+?)$" | search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=-.pdf NOT filename=-_.pdf | stats count by registrar, filename | eval Actual=case(filename="Statement.pdf","Billing Statement",filename="Invoice.pdf","Billing Invoice",filename="text.txt","Billing Text",filename="-*.pdf","Scorecard")

Re: Rename values extracted into field

gnovak — Thu, 09 Aug 2012 20:27:16 GMT

and for some reason Comments like to remove my *'s from my searches. Will post what i mean as an answer...

Re: Rename values extracted into field

ackoch — Thu, 23 May 2013 19:17:01 GMT

Hrmm... I don't understand.

On my summary page, I have a source listed as "WinEventLog:ForwardedEvents" that I'd like to rename to "DC Security Logs"

Anyone able to help?

Re: Rename values extracted into field

Michael — Wed, 03 Jun 2015 19:17:04 GMT

Maybe I miss-understood the question, but this didn't work for me; but the "replace" command worked great. Reference here:

http://answers.splunk.com/answers/7077/how-can-i-rename-the-host-names-for-my-chart.html

Re: Rename values extracted into field

Michael — Tue, 30 May 2017 15:33:24 GMT

Ya, I didn't get that either... I ended up simply using REX:

rex field=mount mode=sed "s/space/Splunk DB location/g"

This takes the value "space" in the mount field (this is a df output) and replaces the word "space" with "Splunk DB location".