Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Bulk rename of all fields that come from calli...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a CMDB lookup that adds 100 fields when we do not specify a limited set with "OUTPUT". More fields are added every now and then. I cannot rename the fields in the file because too many people share this file; it is what it is. Is there a flexible way to rename all fields that are in there that will still work even when new fields are added or old field names change slightly? If I jus.t do an iteration of every field with | rename a AS CMDB_a, | rename b AS CMDB_b ... this will be fragile and break and be a huge blight in the middle of my search. I cannot do | rename * AS CMDB_* because there are many other fields and this search might change to add more non-CMDB fields, too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | rename * AS _HIDE_ALL_FIELDS_*
| lookup YourLookupDefinitionHere host AS _HIDE_ALL_FIELDS_host
| rename * AS CMDB_*
| rename _HIDE_ALL_FIELDS_* AS *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | lookup YourLookupDefinitionHere host
| rename COMMENT AS "Bulk rename of all fields from this lookup to add prefix 'CMDB_'"
| rename [| inputlookup YourLookupDefinitionHere
| head 1
| foreach * [ eval <<FIELD>> = "CMDB_<<FIELD>>" ]
| format "" "" "" "" "" ""
| rex field=search mode=sed "s/=/ AS /g"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | rename * AS _HIDE_ALL_FIELDS_*
| lookup YourLookupDefinitionHere host AS _HIDE_ALL_FIELDS_host
| rename * AS CMDB_*
| rename _HIDE_ALL_FIELDS_* AS *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had issue with this. it seems to take the _* fields as part of the * on the first rename.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It definitely should not and is a bug if it does.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Came across this solution and noted the comments about _ fields being renamed and it does appear that it won't work as _ fields are also renamed with *
| makeresults
| eval myField=1
| rename * as HIDE_*
| table *shows HIDE__time
and in my example
| rename * as _HIDE_ALL_*
| lookup work_status key as _HIDE_ALL_workStatusKey
| rename * as orig_work_status_*
| rename _HIDE_ALL_* as *after the second rename, all _HIDE_ fields are now orig_work_status__HIDE_...
which is not the intended outcome - shame - as it was a simple approach.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems the rename command changed behaviour somewhere along the way and now, as you noted, * matches _ fields too.
You can still use the same method though with a tweak to the final rename:
| rename * as _HIDE_ALL_*
| lookup work_status key as _HIDE_ALL_workStatusKey
| rename * as orig_work_status_*
| rename orig_work_status__HIDE_ALL_* as *
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
