Splunk Search

Rename a field whose name is stored in a lookup at search time

chancerose91
Explorer

I have data that looks like this:

List_Data  Type
A, B, C    type_1

.. or it might instead look like this

Totally_Different_Name  Type
A, B, C                 type_2

and I would like to move A,B,C to a different field or just rename the field that its in so that I can work with the list using a common name i.e..

Common_Name Type
A, B, C     type_2 

I created a lookup file which which identifies the name of the column based on the Type field...

types.csv:
Type    Source_Column
type_1  List_Data
type_2  Totally_Different_Name

The idea being that if I get a new type of data I can just add the column name to the lookup file.

So far I have tried things like...

index=whatever 
| lookup types.csv Type
| eval target_field_name="Common_Name"
| eval {target_field_name}=Source_Column

But I haven't figured out how to express that I want to set Common_Name equal to "the data contained in the field whose name is the value of the Source_Column field".

Ideally, I would be able to wrap the final solution into a macro so that I can dynamically provide the target_field_name e.g. "Common_Name"

0 Karma

to4kawa
Ultra Champion

UPDATED:
I think no need lookup CSV.
if the field added, add the argument of coalesce .

Query:

index=whatever 
| eval Common_name = coalesce(List_Data,Totally_Different_Name)

previous answer:

types.csv:

 Type   Common_name
 type_1 A, B, C 
 type_2 A, B, C

Query:

 index=whatever 
| lookup types.csv Type OUTPUT Common_name

chancerose91
Explorer

The A, B, C is not static. It's pulled from each event so I can't just add it to the lookup table.

0 Karma

chancerose91
Explorer

The edited answer looks like it will work as a decent workaround for my problem. Still hoping to hear back one way or the other about if my original question is possible in Splunk. It seems to me like there should be some supported way to rename "the data contained in the field whose name is the value of the Source_Column field".

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...