How to rename field names using lookups and regex?

shikhanshu · ‎09-25-2014

I wish to rename fields. But not as straightforward as:

rename prefix_* as *

For a field name "prefix_some_field_name", I want to rename as "Some Field Name". This needs regex substitution

For a field name "prefix_sm_shrthnd_txt", I want to rename as "Some Shorthand Text", ofcourse I will define the lookup of "sm_shrthnd_txt" to "Some Shorthand Text", but where? And how do I use that lookup in rename operation?

I have used lookups and regex in field value manipuation, but not field names! Any ideas?

ulrich_track · ‎09-25-2014

Would it be sufficient for you, if you used the rename command in your search?

E.g. rename prefix_sm_shrthnd_txt AS "Some Shorthand Text"

Unfortunately, this would mean that you would have to rename your complete list in the search field and not use a lookup (depends on the number of entries, you would have here)

shikhanshu · ‎09-25-2014

That was my first thought as well. But I have way too many fields to do this manually in each report.

Is there documentation on how to define and use lookups for field renaming? I tried finding in Splunk Docs but couldn't get anywhere. And also regex renaming (like replace _ with space, make first letter capital for each word etc.)

How to rename field names using lookups and regex?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?