Splunk Enterprise

How do I rename a file after extraction?

wuming79
Path Finder

Hi, how do I rename _time AS Time in m example below? I'm getting no results with the example below.

temperature sourcetype=kaa | rex field=_raw "\"endpointKeyHash\":\{\"string\":\"(?[^\"]*)\".*\"Event\": (?\{.*\})\}$"| spath input=mydata | rename _time AS Time| table Time, endpoint, temperature
Tags (1)
0 Karma

DalJeanis
Legend

1) When posting code on the forum, please be sure to mark it as code, so that things in < > are not deleted by the interface. I've updated your question to mark the code, but there apparently were no items marked to be extracted in the rex.

2) The first part of your search says to check records with sourcetype=kaa, and look for events with the word temperature in them. Best practices are to always specify the index name for a search.

3) Renaming _time as Time doesn't accomplish anything except losing the auto-formatting on the field, so it's probably not the reason you are not getting results. Try this, to see if there are any records there to be extracted at all...

temperature sourcetype=kaa | head 1 

If there are no records, then add the correct index and fix the criteria as needecd. If there is one, then check to see if it has fields _time, _raw, and mydata.

If mydata is not there, then that is your reason for no return records. Correct the input= parameter on the spath command to be the correct field name.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...