Solved: How do I rename a Rex field?

sid_1435 · ‎02-03-2023

Hi ,

I want to rename to Required Parameters Longitude and Latitude are missing or invalid to a new value Required Parameters missing.

index="****" k8s.namespace.name="*****" "Error" OR "Exception" | rex field=_raw "(?<error_msg>Required Parameters Longitude and Latitude are missing or invalid)" | stats count by error_msg | sort count desc

Any help will be great

ITWhisperer · ‎02-03-2023

| eval error_msg=if(match(_raw, "Required Parameters Longitude and Latitude are missing or invalid"),"Required Parameters missing", error_msg)

View solution in original post

ITWhisperer · ‎02-03-2023

| eval error_msg=if(match(_raw, "Required Parameters Longitude and Latitude are missing or invalid"),"Required Parameters missing", error_msg)

sid_1435 · ‎02-03-2023

Hi Again,

I have the drilldown on the field

Required Parameters Longitude and Latitude are missing or invalid

But since we have renamed it to

Required Parameters missing

it is sending renamed value as parameter , rather i want the original value as parameter

Can you please suggest how to do that

ITWhisperer · ‎02-03-2023

Add a condition to the drilldown so that if the value is "Required Parameters missing" change it to "Required Parameters Longitude and Latitude are missing or invalid" in the drilldown action

sid_1435 · ‎02-05-2023

Thanks ,

It worked

diogofgm · ‎02-03-2023

Use | rex with SED mode

| makeresults
| eval error_msg = "Required Parameters Longitude and Latitude are missing or invalid"
| rex field=error_msg mode=sed "s/(Required Parameters) .* (missing) .*/\1 \2/g"

------------
Hope I was able to help you. If so, some karma would be appreciated.

How do I rename a Rex field?

regex

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!