How do I rename field name with dollar and curly b...

ReddySk · ‎10-04-2018

Hello,

I would like to ask you how to rename field name like "${http.headers.ClientSide}".

Such names are generated by Axway API GW into audit log.

Searching and filtering is working when i use backslahes:

index="axway"  source="group-6_instance-9.log"| spath "customMsgAtts.\$\{http.headers.ClientSide\}" | search "customMsgAtts.\$\{http.headers.ClientSide\}"="165.72.31.104"

but renaming does nothing:

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.\$\{http.headers.ClientSide\} as "ClientSide"

I have tried also various codes:

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.${http.headers.ClientSide} as "ClientSide"

and

index="axway"  source="group-6_instance-9.log" | rename "customMsgAtts.\$\{http.headers.ClientSide\}" as "ClientSide"

with no result.

Any hint what I am doing wrong?

Source data:

{ correlationId:    4b22b65b1133c88ed95c0591       
  customMsgAtts: {      
    ${http.headers.ClientSide}: 165.72.31.104
    http.destination.host: localhost    
    service.name: Healthcheck       }       
  duration: 2       
  legs: [   [+]     ]      
path: /healthcheck/  
  protocol: https       
  protocolSrc: 48065       
  serviceContexts: [    [+]     ]      
  status: success       
  time: 1538662987857       
  type: transaction 
}

Thanks in advance
Reddy

kamlesh_vaghela · ‎10-17-2018

@ReddySk

I think your search should work.

Can you please try below search to filter data?

| makeresults | eval _raw="{\"correlationId\":\"4b22b65b1133c88ed95c0591\",\"customMsgAtts\": { \"${http.headers.ClientSide}\" : \"165.72.31.104\",\"service.name\":\"Healthcheck\"}}" | kv | rename "customMsgAtts.${http.headers.ClientSide}" as ClientSide

Please provide your event with sample data so I can help more.

sudosplunk · ‎10-17-2018

Hi,

Can you try below search. This search extracts the ip address in ${http.headers.ClientSide} field with new field name ClientSide

 index="axway"  source="group-6_instance-9.log" | rex field=_raw "ClientSide\}\:\s(?<ClientSide>[\d\.]+)" | table ClinetSide

harishalipaka · ‎10-04-2018

@ReddySk

Or else try like this..

| makeresults | eval hari="${http.headers.ClientSide}" | transpose | replace "${http.headers.ClientSide}" with "newname" |transpose

Thanks
Harish

ReddySk · ‎10-17-2018

Hi Hari, i tried that but the value of field hari is not substituted, just it is the string "${http.headers.ClientSide}"

Vijeta · ‎10-04-2018

Have you tried-

rename  "customMsgAtts.${http.headers.ClientSide}" as ClientSide

ReddySk · ‎10-17-2018

Hello, this doesn't work unfortunately.

How do I rename field name with dollar and curly braces in name?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)