Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I rename a nested field?

stong2351
New Member
‎05-21-2020 12:29 PM

I have an eval query.

The details object returned looks like this:
{
status: 404,
code: ERROR
}


"details.status"=404 | eval detailsStatus=details.status | table detailsStatus

detailsStatus never has a value in the table though. What am I doing wrong?

Tags (3)
0 Karma
Reply

kjvarga
Observer
‎11-24-2022 04:45 PM

Using eval and single quotes worked for me, for example: 

namespace="production" container_name="payment-service" type="event" data.event="setup_intent.setup_failed" | eval userId = 'data.event_data.data.object.metadata.user_id' | table userId
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2020 12:55 PM

I've done that before, but don't recall if I used |eval detailsStatus = "details.status", | eval detailsStatus = 'details.status', or | rename "details.stats" as detailsStatus. Perhaps one of them will work for you.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

It’s go time — Boston, here we come!

Are you ready to take your Splunk skills to the next level? Get set, because Splunk University is back, and ...

Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top