- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I rename field name with dollar and curly braces in name?
Hello,
I would like to ask you how to rename field name like "${http.headers.ClientSide}".
Such names are generated by Axway API GW into audit log.
Searching and filtering is working when i use backslahes:
index="axway" source="group-6_instance-9.log"| spath "customMsgAtts.\$\{http.headers.ClientSide\}" | search "customMsgAtts.\$\{http.headers.ClientSide\}"="165.72.31.104"
but renaming does nothing:
index="axway" source="group-6_instance-9.log" | rename customMsgAtts.\$\{http.headers.ClientSide\} as "ClientSide"
I have tried also various codes:
index="axway" source="group-6_instance-9.log" | rename customMsgAtts.${http.headers.ClientSide} as "ClientSide"
and
index="axway" source="group-6_instance-9.log" | rename "customMsgAtts.\$\{http.headers.ClientSide\}" as "ClientSide"
with no result.
Any hint what I am doing wrong?
Source data:
{ correlationId: 4b22b65b1133c88ed95c0591
customMsgAtts: {
${http.headers.ClientSide}: 165.72.31.104
http.destination.host: localhost
service.name: Healthcheck }
duration: 2
legs: [ [+] ]
path: /healthcheck/
protocol: https
protocolSrc: 48065
serviceContexts: [ [+] ]
status: success
time: 1538662987857
type: transaction
}
Thanks in advance
Reddy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ReddySk
I think your search should work.
Can you please try below search to filter data?
| makeresults | eval _raw="{\"correlationId\":\"4b22b65b1133c88ed95c0591\",\"customMsgAtts\": { \"${http.headers.ClientSide}\" : \"165.72.31.104\",\"service.name\":\"Healthcheck\"}}" | kv | rename "customMsgAtts.${http.headers.ClientSide}" as ClientSide
Please provide your event with sample data so I can help more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you try below search. This search extracts the ip address in ${http.headers.ClientSide} field with new field name ClientSide
index="axway" source="group-6_instance-9.log" | rex field=_raw "ClientSide\}\:\s(?<ClientSide>[\d\.]+)" | table ClinetSide
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ReddySk
Or else try like this..
| makeresults | eval hari="${http.headers.ClientSide}" | transpose | replace "${http.headers.ClientSide}" with "newname" |transpose
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hari, i tried that but the value of field hari is not substituted, just it is the string "${http.headers.ClientSide}"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried-
rename "customMsgAtts.${http.headers.ClientSide}" as ClientSide
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, this doesn't work unfortunately.
