Solved: Re: How to rename a field name with curly braces b...

erwanlebaron · ‎09-22-2022

Hi

I have several search where I performed renaming. Some of them are done on fied which looks like

xxx.yyy{}.aaa
xxx.yyy{}.bbb
zzz{}.ccc

In the search I do

| rename xxx.yyy{}.aaa as newname1, xxx.yyy{}.bbb as newname2, zzz{}.ccc as newname3

I tried to implement it with field alias configuration but it's doesn't work

Is it possible ?
I don't find any documentation about this specification

PS : my field alias works properly without curly braces

andrew_nelson · ‎09-22-2022

You can create the Field Alias through the UI using Settings > Fields > Field aliases.
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

View solution in original post

erwanlebaron · ‎09-26-2022

Hi @andrew_nelson

Thanks for the answers. It works now.

It was what I've configured.

I just don't understand why alias without {} has applied instantly and those {} was not visible last week. Now I can see all my alias !

Have a nice day

andrew_nelson · ‎09-22-2022

You can create the Field Alias through the UI using Settings > Fields > Field aliases.
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

How to rename a field name with curly braces by using Field Alias ?

fields

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?