Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to set a field alias at search time?

knutsod
Path Finder
‎07-28-2014 01:02 PM

Is there a way to set a Field Alias as search time, I am building a report looking at Windows Event IDs, In this case I want to know if the User or The User_Name field are = to something. This would be simple with an OR but I am using an inputlookup sub search to get the list of users from a CSV.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

okrabbe
Explorer
‎07-28-2014 01:07 PM

Yes, there is the rename command

mysearch | rename User as user User_Name as user

One other option is to use coalesce with an eval 

mysearch | eval user=coalesce(User, User_Name)

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-28-2014 01:08 PM

You can handle that in subsearch query itself.
e.g. |inputlookup yourlookup.csv | eval User=User_Name | table User, User_Name | format "(" "(" "OR" ")" "OR" ")"

0 Karma
Reply
Solved! Jump to solution
Solution

okrabbe
Explorer
‎07-28-2014 01:07 PM

Yes, there is the rename command

mysearch | rename User as user User_Name as user

One other option is to use coalesce with an eval 

mysearch | eval user=coalesce(User, User_Name)
Reply
Solved! Jump to solution

landen99
Motivator
‎01-24-2019 05:40 AM

rename replaces the target field, even if there was something there before, if it appears consecutively like this:

mysearch | rename User as user | rename User_Name as user

rename only coalesces if it appears for both fields within the same pipe like this:

mysearch | rename User as user User_Name as user
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...