Splunk Search
Highlighted

Is there a way to set a field alias at search time?

Path Finder

Is there a way to set a Field Alias as search time, I am building a report looking at Windows Event IDs, In this case I want to know if the User or The User_Name field are = to something. This would be simple with an OR but I am using an inputlookup sub search to get the list of users from a CSV.

Tags (3)
Highlighted

Re: Is there a way to set a field alias at search time?

Explorer

Yes, there is the rename command

mysearch | rename User as user User_Name as user

One other option is to use coalesce with an eval

mysearch | eval user=coalesce(User, User_Name)

View solution in original post

Highlighted

Re: Is there a way to set a field alias at search time?

Motivator

rename replaces the target field, even if there was something there before, if it appears consecutively like this:

mysearch | rename User as user | rename User_Name as user

rename only coalesces if it appears for both fields within the same pipe like this:

mysearch | rename User as user User_Name as user
0 Karma
Highlighted

Re: Is there a way to set a field alias at search time?

SplunkTrust
SplunkTrust

You can handle that in subsearch query itself.
e.g. |inputlookup yourlookup.csv | eval User=UserName | table User, UserName | format "(" "(" "OR" ")" "OR" ")"

0 Karma