Getting Data In

Renaming auto extracted fields

SudarshanS
Explorer

After parsing my json fields the auto extracted fields have format like this a{}.b and a{}.b{}.c and so on.
When i try to add auto extracted field to data model I'm getting an exception,

"Field Name can not contain whitespace, double quotes, single quotes, curly braces or asterisks. " And this exception makes sense as my auto extracted field name contains curly braces, so how can i remove curly braces. I tried to use the concept of field alias as mentioned in https://answers.splunk.com/answers/307993/is-there-a-bug-in-splunk-6-with-adding-an-attribut.html. But I'm not able to add field alias in Data Model, Is there an example how to add field alias in Data Model.

0 Karma
1 Solution

adonio
Ultra Champion

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

View solution in original post

0 Karma

adonio
Ultra Champion

use the rename command:
... | rename a{}.b as A, a{}.b{}.c{} as B .....
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rename
there are other options out there as well. eval command for example

0 Karma

SudarshanS
Explorer

Hi Adonio,

Thanks for your reply. using spath and rename can be done on search head, how can i use it in data model ?

0 Karma

adonio
Ultra Champion

couple of options here regarding a data model.
first, you can extract the fields first and have the data model root search or child search or constraint have the fields you extracted with spath and renamed mentioned.
other option is: -> add field -> eval expression -> eval "A" = a{}.b
i think it supposed to work
hope it helps

0 Karma

SudarshanS
Explorer

Thank you so much adonio.

0 Karma

adonio
Ultra Champion

@SudarshanS,
if it worked for you and answers your question,
please mark question as answered, and up-vote the comments you feel were helpful
cheers

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...