Remove Wildcard from Field Name

makarand13 · ‎05-15-2018

I have some ticketing data being imported into Splunk for analysis. There are a couple of field names with an asterix (*) in them.

Example - Priority*

How do I rename such a field to just "Priority", or a non-wildcard string? Thanks !!

harishalipaka · ‎05-16-2018

| transpose 
| replace "Priority*" with Priority 
| transpose header_field=column

Thanks
Harish

elliotproebstel · ‎05-16-2018

To build on this and make it rename all field names containing wildcards at once:

| transpose 
| rex field=column mode=sed "s/\*//g" 
| transpose header_field=column 
| fields - column

niketn · ‎05-16-2018

@makarand13 can you post raw events where such wildcard based fields exist?

The following could be a fix during search time however, you should rather fix it while indexing using SEDCMD

<yourBaseSearch>
|  eval priority='Priority*'
|  fields - Priority*

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel · ‎05-16-2018

Upvoting this especially to reinforce that the best solution is to fix while indexing!

Are you a member of the Splunk Community?