Splunk Search

Rename a field whose name is stored in a lookup at search time

chancerose91
Explorer

I have data that looks like this:

List_Data  Type
A, B, C    type_1

.. or it might instead look like this

Totally_Different_Name  Type
A, B, C                 type_2

and I would like to move A,B,C to a different field or just rename the field that its in so that I can work with the list using a common name i.e..

Common_Name Type
A, B, C     type_2 

I created a lookup file which which identifies the name of the column based on the Type field...

types.csv:
Type    Source_Column
type_1  List_Data
type_2  Totally_Different_Name

The idea being that if I get a new type of data I can just add the column name to the lookup file.

So far I have tried things like...

index=whatever 
| lookup types.csv Type
| eval target_field_name="Common_Name"
| eval {target_field_name}=Source_Column

But I haven't figured out how to express that I want to set Common_Name equal to "the data contained in the field whose name is the value of the Source_Column field".

Ideally, I would be able to wrap the final solution into a macro so that I can dynamically provide the target_field_name e.g. "Common_Name"

0 Karma

to4kawa
SplunkTrust
SplunkTrust

UPDATED:
I think no need lookup CSV.
if the field added, add the argument of coalesce .

Query:

index=whatever 
| eval Common_name = coalesce(List_Data,Totally_Different_Name)

previous answer:

types.csv:

 Type   Common_name
 type_1 A, B, C 
 type_2 A, B, C

Query:

 index=whatever 
| lookup types.csv Type OUTPUT Common_name

chancerose91
Explorer

The A, B, C is not static. It's pulled from each event so I can't just add it to the lookup table.

0 Karma

chancerose91
Explorer

The edited answer looks like it will work as a decent workaround for my problem. Still hoping to hear back one way or the other about if my original question is possible in Splunk. It seems to me like there should be some supported way to rename "the data contained in the field whose name is the value of the Source_Column field".

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!