Splunk Search

How do I rename field name with dollar and curly braces in name?



I would like to ask you how to rename field name like "${http.headers.ClientSide}".

Such names are generated by Axway API GW into audit log.

Searching and filtering is working when i use backslahes:

index="axway"  source="group-6_instance-9.log"| spath "customMsgAtts.\$\{http.headers.ClientSide\}" | search "customMsgAtts.\$\{http.headers.ClientSide\}"=""

but renaming does nothing:

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.\$\{http.headers.ClientSide\} as "ClientSide"

I have tried also various codes:

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.${http.headers.ClientSide} as "ClientSide"


index="axway"  source="group-6_instance-9.log" | rename "customMsgAtts.\$\{http.headers.ClientSide\}" as "ClientSide"

with no result.

Any hint what I am doing wrong?

Source data:

{ correlationId:    4b22b65b1133c88ed95c0591       
  customMsgAtts: {      
    http.destination.host: localhost    
    service.name: Healthcheck       }       
  duration: 2       
  legs: [   [+]     ]      
path: /healthcheck/  
  protocol: https       
  protocolSrc: 48065       
  serviceContexts: [    [+]     ]      
  status: success       
  time: 1538662987857       
  type: transaction 

Thanks in advance

0 Karma



I think your search should work.

Can you please try below search to filter data?

| makeresults | eval _raw="{\"correlationId\":\"4b22b65b1133c88ed95c0591\",\"customMsgAtts\": { \"${http.headers.ClientSide}\" : \"\",\"service.name\":\"Healthcheck\"}}" | kv | rename "customMsgAtts.${http.headers.ClientSide}" as ClientSide

Please provide your event with sample data so I can help more.

0 Karma



Can you try below search. This search extracts the ip address in ${http.headers.ClientSide} field with new field name ClientSide

 index="axway"  source="group-6_instance-9.log" | rex field=_raw "ClientSide\}\:\s(?<ClientSide>[\d\.]+)" | table ClinetSide
0 Karma


Or else try like this..

| makeresults | eval hari="${http.headers.ClientSide}" | transpose | replace "${http.headers.ClientSide}" with "newname" |transpose
0 Karma


Hi Hari, i tried that but the value of field hari is not substituted, just it is the string "${http.headers.ClientSide}"

0 Karma


Have you tried-

rename  "customMsgAtts.${http.headers.ClientSide}" as ClientSide
0 Karma


Hello, this doesn't work unfortunately.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!