Splunk Search

After renaming an auto-extracted field in Data Model Editor, why am I unable to reference the renamed field when doing a tstats search?

bcronrath
Path Finder

I've tried this with multiple fields now and the same behavior occurs. What I want is simple:

To auto extract a field, and have it rename to something else so that I don't have to constantly pipe in a rename when I do tstats calls against the data model. Based on my understanding, when I set up the data model and give the field a display name, should this not essentially rename the field? Because this does not seem to be what it does, and in fact I have no idea where the Display Name ever comes into effect. I don't see it showing up anywhere aside from in the data model field list.

For instance, let's say I have a field "dimension" in a source that a data model is pulling in from via the constraints. Now I add this field via Add Attribute -> Auto Extraction and set the rename to instead be "status" instead of "dimension". Now, when I try to do a tstats call, it still only recognizes the field if I call it by the name of "dimension". If I try to reference it by "status" I get nothing. So am I misunderstanding what this rename is suppose to be doing, or is there some caveat that prevents my tstats call from recognizing that fields are supposed to be renamed?

0 Karma

rjthibod
Champion

I don't believe display names will work that way. It is my understanding that display names will only automatically appear when you use Pivot instead of tstats.

You could do a look-up into the datamodel definition to match the extracted field name to its matching display name, but that would require so additional sub-search steps. If you wanted to do something like that, here is a macro that could put you on the path of getting that information.

You would invoke the macro in a search as:
| `list_fields_by_datamodel_object("DATAMODELNAME")`

[list_fields_by_datamodel_object(1)]
description = List of all fields in datamodel (arg1)
iseval      = 0
errormsg    = datamodel (arg1) must be a valid datamodel
args        = datamodel
definition  = datamodel $datamodel$ | spath output=foo path=objects{} | mvexpand foo | table foo | spath input=foo path=objectName output=objectName | spath input=foo path=lineage output=lineage | spath input=foo output=fields path=fields{} | mvexpand fields | spath input=fields | table objectName lineage fieldName displayName owner | append [| datamodel $datamodel$ | spath output=foo path=objects{} | mvexpand foo | table foo | spath input=foo path=objectName output=objectName | spath input=foo path=lineage output=lineage | spath input=foo output=fields path=calculations{}.outputFields{} | mvexpand fields | spath input=fields | table objectName lineage fieldName displayName owner ] | eval path = owner.".".fieldName | eval path = "\"".replace(path,"^(BaseEvent\.)(.*)","\2")."\"" | rename fieldName as field
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...