Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I rename field name with dollar and curly braces in name?

ReddySk
Engager
‎10-04-2018 07:43 AM

Hello,

I would like to ask you how to rename field name like "${http.headers.ClientSide}".

Such names are generated by Axway API GW into audit log.

Searching and filtering is working when i use backslahes:

index="axway"  source="group-6_instance-9.log"| spath "customMsgAtts.\$\{http.headers.ClientSide\}" | search "customMsgAtts.\$\{http.headers.ClientSide\}"="165.72.31.104"

but renaming does nothing:

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.\$\{http.headers.ClientSide\} as "ClientSide"

I have tried also various codes: 

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.${http.headers.ClientSide} as "ClientSide"

and

index="axway"  source="group-6_instance-9.log" | rename "customMsgAtts.\$\{http.headers.ClientSide\}" as "ClientSide"

with no result.

Any hint what I am doing wrong?

Source data:

{ correlationId:    4b22b65b1133c88ed95c0591       
  customMsgAtts: {      
    ${http.headers.ClientSide}: 165.72.31.104
    http.destination.host: localhost    
    service.name: Healthcheck       }       
  duration: 2       
  legs: [   [+]     ]      
path: /healthcheck/  
  protocol: https       
  protocolSrc: 48065       
  serviceContexts: [    [+]     ]      
  status: success       
  time: 1538662987857       
  type: transaction 
}

Thanks in advance
Reddy

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-17-2018 06:04 AM

@ReddySk

I think your search should work.

Can you please try below search to filter data?

| makeresults | eval _raw="{\"correlationId\":\"4b22b65b1133c88ed95c0591\",\"customMsgAtts\": { \"${http.headers.ClientSide}\" : \"165.72.31.104\",\"service.name\":\"Healthcheck\"}}" | kv | rename "customMsgAtts.${http.headers.ClientSide}" as ClientSide

Please provide your event with sample data so I can help more.

0 Karma
Reply

sudosplunk
Motivator
‎10-17-2018 05:19 AM

Hi,

Can you try below search. This search extracts the ip address in ${http.headers.ClientSide} field with new field name ClientSide

 index="axway"  source="group-6_instance-9.log" | rex field=_raw "ClientSide\}\:\s(?<ClientSide>[\d\.]+)" | table ClinetSide
0 Karma
Reply

harishalipaka
Motivator
‎10-04-2018 12:12 PM

@ReddySk

Or else try like this..

| makeresults | eval hari="${http.headers.ClientSide}" | transpose | replace "${http.headers.ClientSide}" with "newname" |transpose
Thanks
Harish
0 Karma
Reply

ReddySk
Engager
‎10-17-2018 05:22 AM

Hi Hari, i tried that but the value of field hari is not substituted, just it is the string "${http.headers.ClientSide}"

0 Karma
Reply

Vijeta
Influencer
‎10-04-2018 11:30 AM

Have you tried-

rename  "customMsgAtts.${http.headers.ClientSide}" as ClientSide
0 Karma
Reply

ReddySk
Engager
‎10-17-2018 05:03 AM

Hello, this doesn't work unfortunately.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...