Splunk Search

Rename Field created with Interactive Field Extractor

RVDowning
Contributor

How does one rename a field created with the Interactive Field Extractor?

ftk
Motivator

If you used the IFX the extraction is likley inline and should be easy to edit via the UI. Got to Manager > Fields > Field extractions and click on the name of the field extraction you created in the IFX. In the Extract/Transform field hunt down the field name (it will look similar to this: (?P ). Just replace the fieldname with your desired name, and then click Save.

Alternatively, you can edit the appropriate EXTRACT line in the appropriate props.conf configuration file in $SPLUNK_HOME$/etc/apps/yourapp/local/props.conf.

ftk
Motivator

What error did you get in the Manager? Did a new props.conf appear after you renamed the original?

0 Karma

RVDowning
Contributor

Spoke too soon. I had tried renaming the field in props.conf. After your answer I renamed it back to the original name and then tried to delete the field using Manager > Fields > Field extractions but kept getting an error. So I renamed props.conf to xprops.conf hoping to get rid of it that way. However when I run a search I still see the original field name and my attempted renaming of it in the list of fields.

0 Karma

RVDowning
Contributor

Ah, that was it. Thanks. I hadn't even noticed the app context.

0 Karma

ftk
Motivator

In Manager > Fields > Filed extractions make sure you select the correct app context from the drop down at the top (or just select all). You should be able to find it then.

0 Karma

RVDowning
Contributor

No fields appear in Manager > Fields > Field extractions

The only props.conf that contained the field name in question was in:
/opt/splunk/etc/users/admin/search/local

I had tried renaming the props.conf file thinking that I could then recreate the field spelled correctly, but it seemed to have no effect. I can still find no way to either delete the field so that it can be recreated, or to edit its contents unless I modify the generated regular expression manually.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...