Splunk Search

Mass rename of fields

landen99
Motivator

I want to rename any number of fields/columns based on simple patterns.
From:

randomfields, a1.name1.stuff, a2.name2.foo, a3.othername.bar, a4.pickme.null

To:

randomfields, name1, name2, othername, pickme

How do I do this when the number of fields to be renamed can be 20, 30, or more? One considered solution involves either: transpose, rex, transpose, or: untable, xyseries, but both have brought their own issues with column names in the first event instead of in the field names, and with the key field respectively.

Also, they come from a SQL table in this case and look a little different than the examples above, so if you know the general form returned by dbxquery following the pattern above and know how to tell SQL or Splunk to return the fields in the right form matching above, please feel free to share that approach as well.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The dbxquery command has an option using which you can return the proper name from your SQL queries.

shortnames

Syntax: shortnames=<bool>
Description: By default, the returned fields will be in the form <TABLE>.<COLUMN>.<DATATYPE>. Setting the shortnames argument to true will return fields called <COLUMN>.
Default: shortnames=false
Note: To emulate the output format of the dbquery command from DB Connect v1, set output to csv and shortames to true.

See this: http://docs.splunk.com/Documentation/DBX/2.4.0/DeployDBX/Commands#dbxquery

As far as renaming is concerned, the replace command allows wildcards in their syntax, so you could do something like this, one expression for each unique pattern (table name and data type).

your search | rename a1.*.stuff as * , a2.*.foo as * , a3.othername.bar *, a4.*.null as * 

cmerriman
Super Champion

are the prefixes always a letter followed by a digit and a period?

0 Karma

landen99
Motivator

always, yes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...