Solved: How to rename a field name with curly braces by us... - Splunk Community

Splunk Search

Hi

I have several search where I performed renaming. Some of them are done on fied which looks like

xxx.yyy{}.aaa
xxx.yyy{}.bbb
zzz{}.ccc

In the search I do

| rename xxx.yyy{}.aaa as newname1, xxx.yyy{}.bbb as newname2, zzz{}.ccc as newname3

I tried to implement it with field alias configuration but it's doesn't work

Is it possible ?
I don't find any documentation about this specification

PS : my field alias works properly without curly braces

1 Solution

Solution

You can create the Field Alias through the UI using Settings > Fields > Field aliases.
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

View solution in original post

Hi @andrew_nelson

Thanks for the answers. It works now.

It was what I've configured.

I just don't understand why alias without {} has applied instantly and those {} was not visible last week. Now I can see all my alias !

Have a nice day

Solution

You can create the Field Alias through the UI using Settings > Fields > Field aliases.
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...