Getting Data In

Renaming auto extracted fields

SudarshanS
Explorer

After parsing my json fields the auto extracted fields have format like this a{}.b and a{}.b{}.c and so on.
When i try to add auto extracted field to data model I'm getting an exception,

"Field Name can not contain whitespace, double quotes, single quotes, curly braces or asterisks. " And this exception makes sense as my auto extracted field name contains curly braces, so how can i remove curly braces. I tried to use the concept of field alias as mentioned in https://answers.splunk.com/answers/307993/is-there-a-bug-in-splunk-6-with-adding-an-attribut.html. But I'm not able to add field alias in Data Model, Is there an example how to add field alias in Data Model.

0 Karma
1 Solution

adonio
Ultra Champion

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

View solution in original post

0 Karma

adonio
Ultra Champion

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

0 Karma

SudarshanS
Explorer

Hi Adonio,

Thanks for your reply. using spath and rename can be done on search head, how can i use it in data model ?

0 Karma

adonio
Ultra Champion

couple of options here regarding a data model.
first, you can extract the fields first and have the data model root search or child search or constraint have the fields you extracted with spath and renamed mentioned.
other option is: -> add field -> eval expression -> eval "A" = a{}.b
i think it supposed to work
hope it helps

0 Karma

SudarshanS
Explorer

Thank you so much adonio.

0 Karma

adonio
Ultra Champion

@SudarshanS,
if it worked for you and answers your question,
please mark question as answered, and up-vote the comments you feel were helpful
cheers

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...