Can a lookup be used for renaming a field name?

simpkins1958 · ‎07-15-2016

Trying to figure out if can rename field names using lookup and CSV file. Something like this:

index=main d_name="*" | dedup d_name | table _time d_name plat d_man d_mod user | rename d_name TO value from csv lookup

csv file:
fieldname,tableheader
d_name, Device Name
plat, Platform
d_man, Manufacturer
d_mod, Model
user, User

woodcock · ‎07-15-2016

Like this:

... | rename [|inputcsv renameFields.csv| format "" "" "" "" "" "" | rex field=search mode=sed "s/ tableheader=/ AS /g s/fieldname=//g"]

ahansson89 · ‎07-27-2017

I downvoted this post because does not work

aaraneta_splunk · ‎07-27-2017

@ahansson89 - Downvoting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. Simply commenting with more information about what didn't work and what you've tried (or whatever other info may be relevant) would suffice to help you troubleshoot further.

sundareshr · ‎07-15-2016

Try this

index=main d_name="*" | dedup d_name |  table _time d_name plat d_man d_mod user | join d_name  [| inputlookup lookup.csv | rename fieldname AS d_name | ] | eval {tableheader}=d_name

simpkins1958 · ‎07-15-2016

Using rename command below is not working...

rename d_name as [| inputlookup fieldnames where fieldname="d_name" | return $tableheader]

diogofgm · ‎07-15-2016

Any reason to not just simply use FIELDALIAS in the props.conf of you sourcetype?

------------
Hope I was able to help you. If so, some karma would be appreciated.

Can a lookup be used for renaming a field name?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!