Splunk Search

How do I rename field name with dollar and curly braces in name?

ReddySk
Engager

Hello,

I would like to ask you how to rename field name like "${http.headers.ClientSide}".

Such names are generated by Axway API GW into audit log.

Searching and filtering is working when i use backslahes:

index="axway"  source="group-6_instance-9.log"| spath "customMsgAtts.\$\{http.headers.ClientSide\}" | search "customMsgAtts.\$\{http.headers.ClientSide\}"="165.72.31.104"

but renaming does nothing:

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.\$\{http.headers.ClientSide\} as "ClientSide"

I have tried also various codes:

index="axway"  source="group-6_instance-9.log" | rename customMsgAtts.${http.headers.ClientSide} as "ClientSide"

and

index="axway"  source="group-6_instance-9.log" | rename "customMsgAtts.\$\{http.headers.ClientSide\}" as "ClientSide"

with no result.

Any hint what I am doing wrong?

Source data:

{ correlationId:    4b22b65b1133c88ed95c0591       
  customMsgAtts: {      
    ${http.headers.ClientSide}: 165.72.31.104
    http.destination.host: localhost    
    service.name: Healthcheck       }       
  duration: 2       
  legs: [   [+]     ]      
path: /healthcheck/  
  protocol: https       
  protocolSrc: 48065       
  serviceContexts: [    [+]     ]      
  status: success       
  time: 1538662987857       
  type: transaction 
}

Thanks in advance
Reddy

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ReddySk

I think your search should work.

Can you please try below search to filter data?

| makeresults | eval _raw="{\"correlationId\":\"4b22b65b1133c88ed95c0591\",\"customMsgAtts\": { \"${http.headers.ClientSide}\" : \"165.72.31.104\",\"service.name\":\"Healthcheck\"}}" | kv | rename "customMsgAtts.${http.headers.ClientSide}" as ClientSide

Please provide your event with sample data so I can help more.

0 Karma

sudosplunk
Motivator

Hi,

Can you try below search. This search extracts the ip address in ${http.headers.ClientSide} field with new field name ClientSide

 index="axway"  source="group-6_instance-9.log" | rex field=_raw "ClientSide\}\:\s(?<ClientSide>[\d\.]+)" | table ClinetSide
0 Karma

harishalipaka
Motivator

@ReddySk

Or else try like this..

| makeresults | eval hari="${http.headers.ClientSide}" | transpose | replace "${http.headers.ClientSide}" with "newname" |transpose
Thanks
Harish
0 Karma

ReddySk
Engager

Hi Hari, i tried that but the value of field hari is not substituted, just it is the string "${http.headers.ClientSide}"

0 Karma

Vijeta
Influencer

Have you tried-

rename  "customMsgAtts.${http.headers.ClientSide}" as ClientSide
0 Karma

ReddySk
Engager

Hello, this doesn't work unfortunately.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...