Solved: Re: rename clobbers existing field with that name

alexl1 · ‎12-11-2014

hi, is there a way to rename a splunk field but that if the field name already exists it won't get clobbered?

E.g.
let's say some events have a field called oldfield and some already have a field called newfield

I want oldfield to get renamed but if newfield exists (and I know old field won't exist if it does) then I want that to be newfield

thanks,

acharlieh · ‎12-11-2014

Instead of rename, you could use an eval to determine the value, and then just remove the oldfield.

| eval newfield=coalesce(newfield,oldfield) | fields - oldfield

acharlieh · ‎12-11-2014

Instead of rename, you could use an eval to determine the value, and then just remove the oldfield.

| eval newfield=coalesce(newfield,oldfield) | fields - oldfield

lmonahan · ‎04-26-2022

Outrageous trick! Very helpful, thank you! 😀

alexl1 · ‎12-11-2014

thanks! ..

alexl1 · ‎12-11-2014

(I used to know how to do it but I forgot)

rename clobbers existing field with that name