Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Renaming auto extracted fields

SudarshanS
Explorer
‎07-03-2017 10:37 AM

After parsing my json fields the auto extracted fields have format like this a{}.b and a{}.b{}.c and so on.
When i try to add auto extracted field to data model I'm getting an exception,

"Field Name can not contain whitespace, double quotes, single quotes, curly braces or asterisks. " And this exception makes sense as my auto extracted field name contains curly braces, so how can i remove curly braces. I tried to use the concept of field alias as mentioned in https://answers.splunk.com/answers/307993/is-there-a-bug-in-splunk-6-with-adding-an-attribut.html. But I'm not able to add field alias in Data Model, Is there an example how to add field alias in Data Model.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-03-2017 10:40 AM

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-03-2017 10:40 AM

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

0 Karma
Reply
Solved! Jump to solution

SudarshanS
Explorer
‎07-03-2017 10:57 AM

Hi Adonio,

Thanks for your reply. using spath and rename can be done on search head, how can i use it in data model ?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-03-2017 11:26 AM

couple of options here regarding a data model.
first, you can extract the fields first and have the data model root search or child search or constraint have the fields you extracted with spath and renamed mentioned.
other option is: -> add field -> eval expression -> eval "A" = a{}.b
i think it supposed to work
hope it helps

0 Karma
Reply
Solved! Jump to solution

SudarshanS
Explorer
‎07-04-2017 02:25 AM

Thank you so much adonio.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-04-2017 05:12 AM

@SudarshanS,
if it worked for you and answers your question,
please mark question as answered, and up-vote the comments you feel were helpful
cheers

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...