Re: How do I rename a field I don't know the name ...

HattrickNZ · ‎01-24-2019

How do I rename a field I don't know the name of or will be different into something I know e.g. X??

So, Imagine I have a field name I don't know the name of, and I want to change it to a name I do know. How would I do this?

I was thinking rename * as X

So instead of this output:

Date    How do i rename a field I dont't know the name of or will be different into something I know e.g. X
1   1-Sep   0
2   2-Sep   0

I would have this output, but I don't know the name of the field to change it to X.

Date    X
1   1-Sep   0
2   2-Sep   0

Some sample serch/data:

| makeresults 
 | eval data = "
  1-Sep    0;
  2-Sep    0; 
  " 
 | makemv delim=";" data 
 | mvexpand data 
 | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)" 
 | fields + Date kpi1 | rename kpi1 as "a name with spaces"
 | fields - _time
 | search Date=*
 | rename  "a name with spaces" as "How do i rename a field I dont't know the name of or will be different into something I know e.g. X"

somesoni2 · ‎01-24-2019

Would something like do work for you?

| gentimes start=-1
| eval data = "
1-Sep    0;
2-Sep    0; 
" 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)" 
| fields + Date kpi1 | rename kpi1 as "a name with spaces"
| fields - _time
| search Date=*
| rename  "a name with spaces" as "How do i rename a field I dont't know the name of or will be different into something I know e.g. X"  | eval X=null()
| foreach * [ eval X=if("<<FIELD>>"!="Date" OR "<<FIELD>>"!="OtherFieldsYouWantToKeep",'<<FIELD>>',X) ] | table Date OtherFieldsYouWantToKeep X

HattrickNZ · ‎01-30-2019

I could not follow that. But it got me thinknig of something like this

| foreach *X* [ rename '<FIELD>' as Y2]
So lets say I have a field name aXa (I only know it has an X in the middle). Can I change the fieldname to something I know e.g. Y2 ??

HattrickNZ · ‎01-30-2019

effectively I want Y2 = eval *X* but not sure how to do it.
Y2 the new field that I know the name of
X the field that I partially know the name of

dflodstrom · ‎01-24-2019

If you at least know a regex pattern you can use to extract the field name and value combinations you can use an EXTRACT statement in props, or a combination of props and transforms, to extract your field names and values.

If, for example your events have something like "field=value" you could use (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

Here's an example of a config I've created in props to solve this very issue:
[mysourcetype] EXTRACT-custom_sourcetype_extract= (?<_KEY_1>[\w\s]+)\:\s?(?<_VAL_1>[^\n]+)

For reference: Regex Field Name Extraction

HattrickNZ · ‎01-24-2019

tks, but I was hoping to do it in the search not in the config(props and transform), that is if I understand correctly.

but I did try rex but I think I still need to know the fieldname, but good idea to think to use regex to work on the pattern, I will see if i can do anything more with it.

| makeresults 
  | eval data = "
   1-Sep    0;
   2-Sep    0; 
   " 
  | makemv delim=";" data 
  | mvexpand data 
  | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)" 
  | fields + Date kpi1 | rename kpi1 as "a name with spaces"
  | fields - _time
  | search Date=*
  | rename  "a name with spaces" as "kpi1"
  | rex field=kpi1 "(?<host>\d+)"

How do I rename a field I don't know the name of or will be different into something I know e.g. X

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup