Splunk Search

field rename help

Path Finder

Hi,
I am receiving the logs from McAfee Email gateway. In this log, there is a field name as "action" which has vendor specific value. I have created the lookup which provide the value mapping based on CIM. Now how can I replace, rename or remove the present default "action" field with different field name? I need to do rename / delete for default available field name "action" so I can create the another field with same name "action".

1 Solution

Communicator

To retain the original value I would just rename the original "action" field to something like orig_action or vendor_action (as another response indicated) but then use a lookup to use the new CIM compliant "action" field - it would be something like:

... | rename action AS orig_action | lookup {LOOKUP TABLE DEF} {VENDOR ACTION COLUMN NAME} AS orig_action OUTPUT {CIM ACTION COLUMN NAME} AS action

View solution in original post

0 Karma

Communicator

To retain the original value I would just rename the original "action" field to something like orig_action or vendor_action (as another response indicated) but then use a lookup to use the new CIM compliant "action" field - it would be something like:

... | rename action AS orig_action | lookup {LOOKUP TABLE DEF} {VENDOR ACTION COLUMN NAME} AS orig_action OUTPUT {CIM ACTION COLUMN NAME} AS action

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

First, I would ask you if that field is required for any dashboards, searches, lookups (you indicated it was being used for this). I'm making the assumption that you are using an app or add-on, so you would probably want to go into the props.conf in the app/add-ons local directory and modify the existing field extraction to change the name from action to something else. You would need to modify any dashboards, searches, etc... that reference the original field action so they don't break.

As for the new field, you could create it via the GUI based field extractor, or you could add the extraction while you are in the props.conf file changing the name of the original action field.

If this is not required to be a permanent thing, meaning, you just need to do it for a search or something, then you could handle it in the search itself:

... | eval action_orig = action | rex field=_raw "REGEX HERE (?REGEX TO CAPTURE FIELD VALUE) REGEX HERE"

Since I have no idea what your regex would be to capture the value for the new action field, you would need to replace the things in capital letter. Just use the capture group to populate the field action.

0 Karma

Path Finder

The field with same name is already available in logs so alias is not working.

0 Karma

SplunkTrust
SplunkTrust

SplunkTrust
SplunkTrust

Upvoting... as Field Alias seems to be perfect candidate for this. Since you are using CIM Field Alias can be used to streamline Fields for correlation across sources.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields
PS: Field Alias will retain original field as well.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma