Solved: Changing field names at runtime

mmmmssss · ‎08-05-2013

Hi,

I cant find a good way to rename multiple field names within different datatypes at run time to then be able to apply transactions to them.

Here is an example:

search * | rename SourceNetworkAddress as IP | stats count by IP

This gives me 4 different IP's with 39 distinct events

if I change it to

search * | rename SourceNetworkAddress as IP, IP_Address as IP | stats count by IP

The second value seems to overwrite the first and I end up with 2 different IP addresses with 12 distinct events. I guess because the first event type doesnt contain that fieldname it is just being overwritten to blank.

I have got around it in the interim by just renaming the first field to the name of the second, but this isnt flexible as I now want to add a third datatype.

Any help appreciated! Thanks,

Ayn · ‎08-05-2013

You could use eval's coalesce() function instead. It will take a variable number of parameters and return the first one that is not null.

search * | eval IP=coalesce(SourceNetworkAddress, IP_Address, ..., ...) | stats count by IP

View solution in original post

Ayn · ‎08-05-2013

You could use eval's coalesce() function instead. It will take a variable number of parameters and return the first one that is not null.

search * | eval IP=coalesce(SourceNetworkAddress, IP_Address, ..., ...) | stats count by IP

Changing field names at runtime

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation