I originally asked this question here:
http://splunk-base.splunk.com/answers/55254/rename-values-extracted-into-field
This was regarding renaming values that were extracted into a field to something different. Example:
-filename=statement.pdf
I'd like statement.pdf to be known as "Scorecard".
The solution before was to use EVAL for this but the issue with that is that using eval will only single out those values you choose to rename in the command itself. It will only display those that were renamed and all other filenames were not listed.
I'm wondering if you can use transforms.conf for this instead. I'd like to have basically a list of where I have something like:
statement.pdf = Scorecard
invoice.pdf = Billing
ImHungry.pdf = Lunch
Anyone have any ideas to throw around with this one? I'm lookinng at transforms.conf in the admin manual but figured I'd also ask this here. I was also told to maybe try lookups.
You should try a look up. That way you can have a .csv with the translations. When you do the lookup ( and you can set it up to be automatic ) everytime you access that source of data a new field will be created for you that contains the naming you want to use like Scorecard, Billing etc.
http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups
Can you post the details from your config files and give us a couple lines from your file.
I'm going to post this question separate as I followed the example, everything looks ok but still get error. I looked at other questions too and still same thing.
At the top of your csv file are the field names. So make sure you have those set up with no spaces, then when you get to the final step of creating the automatic lookup you'll define the key field (let's say doctype in your case) and then you'll define the other fields. The example is quite good. You'll see several other answers on here as well with folks running into issues.
Set the lookup to run automatically
In the Manager > Lookups > Automatic lookups view:
With the lookups, I followed the example but I never get it to work. I got this error [log1.nj.blahblah.blah] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::EPPWEB' and lookup table 'WAT_Lookups'.