Splunk Search

Rename fields based on Token value

mcaulsc
Path Finder

Hi,

I have some data which spans multiple systems example below:

"system" "app" "fld1" "fld2" "fld3"

sys1         appA   1           0          0

sys1         appA   0           0         0

sys1        appB    0          1

What I'm trying to do is create a generic dashboard so I would need to rename the fields based on the "app" value. So something similar to:

when app=="appA" rename "fld1" as "appAfld1",  rename "fld2" as "appAfld2"

when app=="appB" rename "fld1" as "appBfld1"

Then in a table only show the renamed fields, so a conditional table statement again based on the "app" value.

Any ideas on how/if that can be achieved?  Alternately I just create separate dashboards but a lot of repetition in that so I suspect there is a way to do it.

Thanks in advance for any ideas.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Flip it the other way around

| eval newname1=case(app="app1","newname1",app="app2","newnameA")
| eval {newname1}=fld1
| eval newname2=case(app="app1","newname2",app="app2","newnameB")
| eval {newname2}=fld2
etc.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| foreach fld* 
    [| eval {app}<<FIELD>> = <<FIELD>>]
0 Karma

mcaulsc
Path Finder

sorry, will have to walk me through the :
[| eval {app}<<FIELD>> = <<FIELD>>]

what is that doing and how would that handle multiple values for app?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The braces around the app uses the value of the field as part of the field name and then the name of the field from  the foreach <<FIELD>> is add so {app}<<FIELD>>  = <<FIELD>> becomes appAfld1 = fld1 which is what you were after.

0 Karma

mcaulsc
Path Finder

ah, I see now, thanks for the explanation, I got that working and that will be useful.

My example was a bit too literal I think where I masked names. What I'm actually after is a complete rename so:
when app=="appA" rename "fld1" as "newname1",  rename "fld2" as "newname2",  rename "fld3" as "newname11"

0 Karma

mcaulsc
Path Finder

so what I really want is something equivalent to  IF .... THEN DO

If app =app1 then Do
   rename fld1 as newname1
   rename fld2 as newname2
   rename field3 as newname11
End
If app =app2 then Do
   rename fld1 as newnameA
   rename fld2 as newnameB
   rename field3 as newnameYY
End

Hopefully that makes more sense.

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Flip it the other way around

| eval newname1=case(app="app1","newname1",app="app2","newnameA")
| eval {newname1}=fld1
| eval newname2=case(app="app1","newname2",app="app2","newnameB")
| eval {newname2}=fld2
etc.

mcaulsc
Path Finder

That's it, excellent and I can pull them into a table etc with a generic.
Thanks for the solution and also the explanations.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...