Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename a field name with curly braces by using Field Alias ?

erwanlebaron
Engager
‎09-22-2022 06:01 AM

Hi

 

I have several search where I performed renaming. Some of them are done on fied which looks like

  • xxx.yyy{}.aaa
  • xxx.yyy{}.bbb
  • zzz{}.ccc

In the search I do

| rename xxx.yyy{}.aaa as newname1,      xxx.yyy{}.bbb as newname2,     zzz{}.ccc as newname3

I tried to implement it with field alias configuration but it's doesn't work

 

Is it possible ?
I don't find any documentation about this specification

 

PS : my field alias works properly without curly braces

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andrew_nelson
Communicator
‎09-22-2022 06:46 AM

You can create the Field Alias through the UI using Settings > Fields > Field aliases. 
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

View solution in original post

0 Karma
Reply
Solved! Jump to solution

erwanlebaron
Engager
‎09-26-2022 01:54 AM

Hi @andrew_nelson 

 

Thanks for the answers. It works now.

It was what I've configured.

I just don't understand why alias without {} has applied instantly and those {} was not visible last week. Now I can see all my alias !

 

Have a nice day

0 Karma
Reply
Solved! Jump to solution
Solution

andrew_nelson
Communicator
‎09-22-2022 06:46 AM

You can create the Field Alias through the UI using Settings > Fields > Field aliases. 
The format is old{}.field = newField

If you'd prefer to do it via conf file, the format requires quotes:
FIELDALIAS-<alias_name> = "old{}.field" as newField

0 Karma
Reply
Get Updates on the Splunk Community!

Simplifying the Analyst Experience with Finding-based Detections

    Splunk invites you to an engaging Tech Talk focused on streamlining security operations with ...

[Puzzles] Solve, Learn, Repeat: Word Search

This challenge was first posted on Slack #puzzles channelThis puzzle is based on a letter grid containing ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4

Advent of CodeIn order to participate in these challenges, you will need to register with the Advent of Code ...