Splunk Search

Rename field by using one of multiple wildcards

Explorer

I have a query that counts by source and leaves me with fields that are named like /logs/containers/3198058471-5mdkn_ef22f06f3462c74029d23d3ef6d5c765ecd41c2f86f796b074ea2e2de83bf4bd.log.

I would like to rename my fields to whatever comes after /logs/containers/ and before the _.

I am looking for something like this:

| rename /logs/containers/*_* as *
Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@maartendhondt

Can you please try this?

YOUR_SEARCH | foreach "/logs/containers/*" [ eval field=mvindex(split("<<MATCHSTR>>","_"),0), {field}='<<FIELD>>' ] | fields - "/logs/containers/*", field

My Sample Search:

| makeresults 
| eval "/logs/containers/3198058471-5mdkn_ef22f06f3462c74029d23d3ef6d5c765ecd41c2f86f796b074ea2e2de83bf4bd.log"="aaa" 
| foreach "/logs/containers/*" [ eval field=mvindex(split("<<MATCHSTR>>","_"),0), {field}='<<FIELD>>' ] | fields - "/logs/containers/*", field

Thanks

View solution in original post

SplunkTrust
SplunkTrust

@maartendhondt

Can you please try this?

YOUR_SEARCH | foreach "/logs/containers/*" [ eval field=mvindex(split("<<MATCHSTR>>","_"),0), {field}='<<FIELD>>' ] | fields - "/logs/containers/*", field

My Sample Search:

| makeresults 
| eval "/logs/containers/3198058471-5mdkn_ef22f06f3462c74029d23d3ef6d5c765ecd41c2f86f796b074ea2e2de83bf4bd.log"="aaa" 
| foreach "/logs/containers/*" [ eval field=mvindex(split("<<MATCHSTR>>","_"),0), {field}='<<FIELD>>' ] | fields - "/logs/containers/*", field

Thanks

View solution in original post