Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Renaming auto extracted fields

SudarshanS
Explorer
‎07-03-2017 10:37 AM

After parsing my json fields the auto extracted fields have format like this a{}.b and a{}.b{}.c and so on.
When i try to add auto extracted field to data model I'm getting an exception,

"Field Name can not contain whitespace, double quotes, single quotes, curly braces or asterisks. " And this exception makes sense as my auto extracted field name contains curly braces, so how can i remove curly braces. I tried to use the concept of field alias as mentioned in https://answers.splunk.com/answers/307993/is-there-a-bug-in-splunk-6-with-adding-an-attribut.html. But I'm not able to add field alias in Data Model, Is there an example how to add field alias in Data Model.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-03-2017 10:40 AM

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-03-2017 10:40 AM

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

0 Karma
Reply
Solved! Jump to solution

SudarshanS
Explorer
‎07-03-2017 10:57 AM

Hi Adonio,

Thanks for your reply. using spath and rename can be done on search head, how can i use it in data model ?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-03-2017 11:26 AM

couple of options here regarding a data model.
first, you can extract the fields first and have the data model root search or child search or constraint have the fields you extracted with spath and renamed mentioned.
other option is: -> add field -> eval expression -> eval "A" = a{}.b
i think it supposed to work
hope it helps

0 Karma
Reply
Solved! Jump to solution

SudarshanS
Explorer
‎07-04-2017 02:25 AM

Thank you so much adonio.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-04-2017 05:12 AM

@SudarshanS,
if it worked for you and answers your question,
please mark question as answered, and up-vote the comments you feel were helpful
cheers

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...