Splunk Search

Rename Field created with Interactive Field Extractor

RVDowning
Contributor

How does one rename a field created with the Interactive Field Extractor?

ftk
Motivator

If you used the IFX the extraction is likley inline and should be easy to edit via the UI. Got to Manager > Fields > Field extractions and click on the name of the field extraction you created in the IFX. In the Extract/Transform field hunt down the field name (it will look similar to this: (?P ). Just replace the fieldname with your desired name, and then click Save.

Alternatively, you can edit the appropriate EXTRACT line in the appropriate props.conf configuration file in $SPLUNK_HOME$/etc/apps/yourapp/local/props.conf.

ftk
Motivator

What error did you get in the Manager? Did a new props.conf appear after you renamed the original?

0 Karma

RVDowning
Contributor

Spoke too soon. I had tried renaming the field in props.conf. After your answer I renamed it back to the original name and then tried to delete the field using Manager > Fields > Field extractions but kept getting an error. So I renamed props.conf to xprops.conf hoping to get rid of it that way. However when I run a search I still see the original field name and my attempted renaming of it in the list of fields.

0 Karma

RVDowning
Contributor

Ah, that was it. Thanks. I hadn't even noticed the app context.

0 Karma

ftk
Motivator

In Manager > Fields > Filed extractions make sure you select the correct app context from the drop down at the top (or just select all). You should be able to find it then.

0 Karma

RVDowning
Contributor

No fields appear in Manager > Fields > Field extractions

The only props.conf that contained the field name in question was in:
/opt/splunk/etc/users/admin/search/local

I had tried renaming the props.conf file thinking that I could then recreate the field spelled correctly, but it seemed to have no effect. I can still find no way to either delete the field so that it can be recreated, or to edit its contents unless I modify the generated regular expression manually.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...