Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field rename help

mustafag
Path Finder
‎05-24-2017 02:32 AM

Hi,
I am receiving the logs from McAfee Email gateway. In this log, there is a field name as "action" which has vendor specific value. I have created the lookup which provide the value mapping based on CIM. Now how can I replace, rename or remove the present default "action" field with different field name? I need to do rename / delete for default available field name "action" so I can create the another field with same name "action".

Reply
1 Solution
Solved! Jump to solution
Solution

wenthold
Communicator
‎05-24-2017 07:26 AM

To retain the original value I would just rename the original "action" field to something like orig_action or vendor_action (as another response indicated) but then use a lookup to use the new CIM compliant "action" field - it would be something like:

... | rename action AS orig_action | lookup {LOOKUP TABLE DEF} {VENDOR ACTION COLUMN NAME} AS orig_action OUTPUT {CIM ACTION COLUMN NAME} AS action

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wenthold
Communicator
‎05-24-2017 07:26 AM

To retain the original value I would just rename the original "action" field to something like orig_action or vendor_action (as another response indicated) but then use a lookup to use the new CIM compliant "action" field - it would be something like:

... | rename action AS orig_action | lookup {LOOKUP TABLE DEF} {VENDOR ACTION COLUMN NAME} AS orig_action OUTPUT {CIM ACTION COLUMN NAME} AS action
0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-24-2017 06:44 AM

First, I would ask you if that field is required for any dashboards, searches, lookups (you indicated it was being used for this). I'm making the assumption that you are using an app or add-on, so you would probably want to go into the props.conf in the app/add-ons local directory and modify the existing field extraction to change the name from action to something else. You would need to modify any dashboards, searches, etc... that reference the original field action so they don't break.

As for the new field, you could create it via the GUI based field extractor, or you could add the extraction while you are in the props.conf file changing the name of the original action field.

If this is not required to be a permanent thing, meaning, you just need to do it for a search or something, then you could handle it in the search itself:

... | eval action_orig = action | rex field=_raw "REGEX HERE (?REGEX TO CAPTURE FIELD VALUE) REGEX HERE"

Since I have no idea what your regex would be to capture the value for the new action field, you would need to replace the things in capital letter. Just use the capture group to populate the field action.

0 Karma
Reply
Solved! Jump to solution

mustafag
Path Finder
‎05-24-2017 06:28 AM

The field with same name is already available in logs so alias is not working.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-24-2017 06:07 AM

maybe you can use field alias:
http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Abouttagsandaliases

Reply
Solved! Jump to solution

niketn
Legend
‎05-24-2017 06:39 AM

Upvoting... as Field Alias seems to be perfect candidate for this. Since you are using CIM Field Alias can be used to streamline Fields for correlation across sources.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields
PS: Field Alias will retain original field as well.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...