Solved: Is there a way to set a field alias at search time...

knutsod · ‎07-28-2014

Is there a way to set a Field Alias as search time, I am building a report looking at Windows Event IDs, In this case I want to know if the User or The User_Name field are = to something. This would be simple with an OR but I am using an inputlookup sub search to get the list of users from a CSV.

okrabbe · ‎07-28-2014

Yes, there is the rename command

mysearch | rename User as user User_Name as user

One other option is to use coalesce with an eval

mysearch | eval user=coalesce(User, User_Name)

View solution in original post

somesoni2 · ‎07-28-2014

You can handle that in subsearch query itself.
e.g. |inputlookup yourlookup.csv | eval User=User_Name | table User, User_Name | format "(" "(" "OR" ")" "OR" ")"

okrabbe · ‎07-28-2014

Yes, there is the rename command

mysearch | rename User as user User_Name as user

One other option is to use coalesce with an eval

mysearch | eval user=coalesce(User, User_Name)

landen99 · ‎01-24-2019

rename replaces the target field, even if there was something there before, if it appears consecutively like this:

mysearch | rename User as user | rename User_Name as user

rename only coalesces if it appears for both fields within the same pipe like this:

mysearch | rename User as user User_Name as user

Is there a way to set a field alias at search time?

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring