How can I rename items with SPL query?

uagraw01 · ‎04-29-2022

Hello Splunkers,

How can i rename all the OrderNumber1, OrderNumber2, OrderNumber3 as OrderNumber. And Country1, Country2,Country4 as Country. I have attached the screenshot also.

Appreciated in advance

VatsalJagani · ‎04-29-2022

@uagraw01 - Use the solution given by @gcusello if you want to get one value out of all the fields.

If you want all values from those fields into a new multi-valued field, then you can try:

| eval Country = mvappend(Country1, Country2, ...)
| eval OrderNumber = mvappend(OrderNumber1, OrderNumber2, ...)

I hope this helps!!

gcusello · ‎04-29-2022

Hi @uagraw01 ,

if the field numbers is fixed, you can use coalesce option:

| eval OrderNumber=coalesce(OrderNumber1,OrderNumber2,OrderNumber3), country=coalesce(country1,country2,country3)

Ciao.

Giuseppe

uagraw01 · ‎04-29-2022

@gcusello I already tried this. But let me know is this a good approach ?

gcusello · ‎04-30-2022

Hi @uagraw01,

Yes, coalesce is very much used option.

Ciao.

Giuseppe

VatsalJagani · ‎04-29-2022

@uagraw01 - You can use the same formula as part of props.conf EVAL statement as well.

uagraw01 · ‎04-29-2022

@VatsalJagani I have some limitations here.

How can I rename items with SPL query?

other

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!