Getting Data In

Renaming auto extracted fields

SudarshanS
Explorer

After parsing my json fields the auto extracted fields have format like this a{}.b and a{}.b{}.c and so on.
When i try to add auto extracted field to data model I'm getting an exception,

"Field Name can not contain whitespace, double quotes, single quotes, curly braces or asterisks. " And this exception makes sense as my auto extracted field name contains curly braces, so how can i remove curly braces. I tried to use the concept of field alias as mentioned in https://answers.splunk.com/answers/307993/is-there-a-bug-in-splunk-6-with-adding-an-attribut.html. But I'm not able to add field alias in Data Model, Is there an example how to add field alias in Data Model.

0 Karma
1 Solution

adonio
Ultra Champion

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

View solution in original post

0 Karma

adonio
Ultra Champion

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

0 Karma

SudarshanS
Explorer

Hi Adonio,

Thanks for your reply. using spath and rename can be done on search head, how can i use it in data model ?

0 Karma

adonio
Ultra Champion

couple of options here regarding a data model.
first, you can extract the fields first and have the data model root search or child search or constraint have the fields you extracted with spath and renamed mentioned.
other option is: -> add field -> eval expression -> eval "A" = a{}.b
i think it supposed to work
hope it helps

0 Karma

SudarshanS
Explorer

Thank you so much adonio.

0 Karma

adonio
Ultra Champion

@SudarshanS,
if it worked for you and answers your question,
please mark question as answered, and up-vote the comments you feel were helpful
cheers

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...