Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to rename field values and use a new Name for another field?

lukasHoel
Explorer
‎04-21-2015 06:17 AM

Hello,

I have extracted three fields: Name, Type and Environment.
Each of those fields is has multiple values.

For example:

  • Name = "fw.infra.prctrl.ClientStarter" (and more following this layout)
  • Type = "somestuff.OLDTYPE.morestuff"
  • Type = "somestuff.NEWTYPE.morestuff"
  • Environment = "env A"
  • Environment = "env B"

Eventually, I want to combine those fields into a new field named NameOfApplication.
The way I have done that, was by using the "Calculate Fields" Option with the eval Operation:

 "*Name + " - " Type" + " - " + "Environment*"

As expected, the result was for example:

 "fw.infra.prctrl.ClientStarter - somestuff.NEWTYPE.morestuff - env A"

But that is too long for my needs and I would like to have it in this way:

 "Application One - NEWTYPE - A"

That's because I will use NameOfApplication in a Chart.

So I have to tell Splunk that "fw.infra.prctrl.ClientStarter" means "Application One" and that I have to shorten the other fields.
I know this is possible in the search bar by using "replace" or "rex" commands, but the field NameOfApplication is created with the "Calculate Fields" Option in SplunkWeb, so changing the values of the fields in the search bar won't affect the new field.
Also, changing this manually in the search bar for every possible result might get too much, so doing it automatically would be great.

How can I achieve my goal the best way? Changing the way completely wouldn't mind at all 🙂
Thanks for your help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 06:24 AM

If the list of names, types and environments doesn't change often, you could use a lookup.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 06:24 AM

If the list of names, types and environments doesn't change often, you could use a lookup.

0 Karma
Reply
Solved! Jump to solution

lukasHoel
Explorer
‎04-21-2015 06:43 AM

Well using external sources with a lookup would not be a possibility, I guess. Maybe I could break the problem down to this:
Say, that the extracted field value "Test123ABC" means actually "Application One". And then, when using the field in a field calculation, it will use "Application One" as value and not "Test123ABC". There must be an easy way to do this?
I am searching for something like field aliases only for values, saying Test123ABC = Application One and using Application One, instead of Test123ABC when using the field.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 06:47 AM

You can always use eval to change the field values. I'm thinking of using case to switch through the possibilities and assigning them the shorter names.

Reply
Solved! Jump to solution

lukasHoel
Explorer
‎04-23-2015 01:26 AM

Thanks for that! Using eval and case totally got it for me 🙂 Using those operations several times fixed the issue!

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...