Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After renaming an auto-extracted field in Data Model Editor, why am I unable to reference the renamed field when doing a tstats search?

bcronrath
Path Finder
‎11-14-2016 01:30 PM

I've tried this with multiple fields now and the same behavior occurs. What I want is simple:

To auto extract a field, and have it rename to something else so that I don't have to constantly pipe in a rename when I do tstats calls against the data model. Based on my understanding, when I set up the data model and give the field a display name, should this not essentially rename the field? Because this does not seem to be what it does, and in fact I have no idea where the Display Name ever comes into effect. I don't see it showing up anywhere aside from in the data model field list.

For instance, let's say I have a field "dimension" in a source that a data model is pulling in from via the constraints. Now I add this field via Add Attribute -> Auto Extraction and set the rename to instead be "status" instead of "dimension". Now, when I try to do a tstats call, it still only recognizes the field if I call it by the name of "dimension". If I try to reference it by "status" I get nothing. So am I misunderstanding what this rename is suppose to be doing, or is there some caveat that prevents my tstats call from recognizing that fields are supposed to be renamed?

0 Karma
Reply

rjthibod
Champion
‎11-14-2016 02:33 PM

I don't believe display names will work that way. It is my understanding that display names will only automatically appear when you use Pivot instead of tstats.

You could do a look-up into the datamodel definition to match the extracted field name to its matching display name, but that would require so additional sub-search steps. If you wanted to do something like that, here is a macro that could put you on the path of getting that information.

You would invoke the macro in a search as:
| `list_fields_by_datamodel_object("DATAMODELNAME")` 

[list_fields_by_datamodel_object(1)]
description = List of all fields in datamodel (arg1)
iseval      = 0
errormsg    = datamodel (arg1) must be a valid datamodel
args        = datamodel
definition  = datamodel $datamodel$ | spath output=foo path=objects{} | mvexpand foo | table foo | spath input=foo path=objectName output=objectName | spath input=foo path=lineage output=lineage | spath input=foo output=fields path=fields{} | mvexpand fields | spath input=fields | table objectName lineage fieldName displayName owner | append [| datamodel $datamodel$ | spath output=foo path=objects{} | mvexpand foo | table foo | spath input=foo path=objectName output=objectName | spath input=foo path=lineage output=lineage | spath input=foo output=fields path=calculations{}.outputFields{} | mvexpand fields | spath input=fields | table objectName lineage fieldName displayName owner ] | eval path = owner.".".fieldName | eval path = "\"".replace(path,"^(BaseEvent\.)(.*)","\2")."\"" | rename fieldName as field
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...