How do I rename a field I don't know the name of or will be different into something I know e.g. X??
So, Imagine I have a field name I don't know the name of, and I want to change it to a name I do know. How would I do this?
I was thinking rename * as X
So instead of this output:
Date How do i rename a field I dont't know the name of or will be different into something I know e.g. X
1 1-Sep 0
2 2-Sep 0
I would have this output, but I don't know the name of the field to change it to X.
Date X
1 1-Sep 0
2 2-Sep 0
Some sample serch/data:
| makeresults
| eval data = "
1-Sep 0;
2-Sep 0;
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)"
| fields + Date kpi1 | rename kpi1 as "a name with spaces"
| fields - _time
| search Date=*
| rename "a name with spaces" as "How do i rename a field I dont't know the name of or will be different into something I know e.g. X"
Would something like do work for you?
| gentimes start=-1
| eval data = "
1-Sep 0;
2-Sep 0;
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)"
| fields + Date kpi1 | rename kpi1 as "a name with spaces"
| fields - _time
| search Date=*
| rename "a name with spaces" as "How do i rename a field I dont't know the name of or will be different into something I know e.g. X" | eval X=null()
| foreach * [ eval X=if("<<FIELD>>"!="Date" OR "<<FIELD>>"!="OtherFieldsYouWantToKeep",'<<FIELD>>',X) ] | table Date OtherFieldsYouWantToKeep X
I could not follow that. But it got me thinknig of something like this
| foreach *X* [ rename '<FIELD>' as Y2]
So lets say I have a field name aXa
(I only know it has an X in the middle). Can I change the fieldname to something I know e.g. Y2
effectively I want Y2 = eval *X*
but not sure how to do it.
Y2 the new field that I know the name of
X the field that I partially know the name of
If you at least know a regex pattern you can use to extract the field name and value combinations you can use an EXTRACT statement in props, or a combination of props and transforms, to extract your field names and values.
If, for example your events have something like "field=value" you could use (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)
Here's an example of a config I've created in props to solve this very issue:
EXTRACT-custom_sourcetype_extract= (?<_KEY_1>[\w\s]+)\:\s?(?<_VAL_1>[^\n]+)
For reference: Regex Field Name Extraction
tks, but I was hoping to do it in the search not in the config(props and transform), that is if I understand correctly.
but I did try rex but I think I still need to know the fieldname, but good idea to think to use regex to work on the pattern, I will see if i can do anything more with it.
| makeresults
| eval data = "
1-Sep 0;
2-Sep 0;
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)"
| fields + Date kpi1 | rename kpi1 as "a name with spaces"
| fields - _time
| search Date=*
| rename "a name with spaces" as "kpi1"
| rex field=kpi1 "(?<host>\d+)"