Splunk Search

How to rename a field name with curly braces by using Field Alias ?

erwanlebaron
Engager

Hi

 

I have several search where I performed renaming. Some of them are done on fied which looks like

  • xxx.yyy{}.aaa
  • xxx.yyy{}.bbb
  • zzz{}.ccc

In the search I do

| rename xxx.yyy{}.aaa as newname1,      xxx.yyy{}.bbb as newname2,     zzz{}.ccc as newname3

I tried to implement it with field alias configuration but it's doesn't work

 

Is it possible ?
I don't find any documentation about this specification

 

PS : my field alias works properly without curly braces

Labels (1)
0 Karma
1 Solution

andrew_nelson
Communicator

You can create the Field Alias through the UI using Settings > Fields > Field aliases. 
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

View solution in original post

0 Karma

erwanlebaron
Engager

Hi @andrew_nelson 

 

Thanks for the answers. It works now.

It was what I've configured.

I just don't understand why alias without {} has applied instantly and those {} was not visible last week. Now I can see all my alias !

 

Have a nice day

0 Karma

andrew_nelson
Communicator

You can create the Field Alias through the UI using Settings > Fields > Field aliases. 
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...