Solved: Re: Rename fields based on Token value

mcaulsc · ‎09-30-2021

Hi,

I have some data which spans multiple systems example below:

"system" "app" "fld1" "fld2" "fld3"

sys1 appA 1 0 0

sys1 appA 0 0 0

sys1 appB 0 1

What I'm trying to do is create a generic dashboard so I would need to rename the fields based on the "app" value. So something similar to:

when app=="appA" rename "fld1" as "appAfld1", rename "fld2" as "appAfld2"

when app=="appB" rename "fld1" as "appBfld1"

Then in a table only show the renamed fields, so a conditional table statement again based on the "app" value.

Any ideas on how/if that can be achieved? Alternately I just create separate dashboards but a lot of repetition in that so I suspect there is a way to do it.

Thanks in advance for any ideas.

ITWhisperer · ‎10-01-2021

Flip it the other way around

| eval newname1=case(app="app1","newname1",app="app2","newnameA")
| eval {newname1}=fld1
| eval newname2=case(app="app1","newname2",app="app2","newnameB")
| eval {newname2}=fld2
etc.

View solution in original post

ITWhisperer · ‎09-30-2021

| foreach fld* 
    [| eval {app}<<FIELD>> = <<FIELD>>]

mcaulsc · ‎09-30-2021

sorry, will have to walk me through the :
[| eval {app}<<FIELD>> = <<FIELD>>]

what is that doing and how would that handle multiple values for app?

ITWhisperer · ‎09-30-2021

The braces around the app uses the value of the field as part of the field name and then the name of the field from the foreach <<FIELD>> is add so {app}<<FIELD>> = <<FIELD>> becomes appAfld1 = fld1 which is what you were after.

mcaulsc · ‎10-01-2021

ah, I see now, thanks for the explanation, I got that working and that will be useful.

My example was a bit too literal I think where I masked names. What I'm actually after is a complete rename so:
when app=="appA" rename "fld1" as "newname1", rename "fld2" as "newname2", rename "fld3" as "newname11"

mcaulsc · ‎10-01-2021

so what I really want is something equivalent to IF .... THEN DO

If app =app1 then Do
rename fld1 as newname1
rename fld2 as newname2
rename field3 as newname11
End
If app =app2 then Do
rename fld1 as newnameA
rename fld2 as newnameB
rename field3 as newnameYY
End

Hopefully that makes more sense.

ITWhisperer · ‎10-01-2021

Flip it the other way around

| eval newname1=case(app="app1","newname1",app="app2","newnameA")
| eval {newname1}=fld1
| eval newname2=case(app="app1","newname2",app="app2","newnameB")
| eval {newname2}=fld2
etc.

mcaulsc · ‎10-01-2021

That's it, excellent and I can pull them into a table etc with a generic.
Thanks for the solution and also the explanations.

Rename fields based on Token value

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation