- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Rename multiple fields to the same name using ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rename multiple fields to the same name using a * or a generic character, so it can be done on mass.
Rename multiple fields to the same name using a * or a generic character. MY data set is producing a lot of data that can fit into the same name. The issues is renaming all of them could take along time.
The way i want to do it (using the * - rename "max(XML_PARSE): STAR" as XML_PARSE )
index=mlc_test sourcetype=LAS source=LAS.log MSG_TYPE=* | timechart span=10s max(IN_TRANS), max(XML_PARSE), max(HANDLER) by MSG_TYPE | rename "max(XML_PARSE): *" as XML_PARSE
However this does not work,
The Long Way [So i want to replace CONTRACT and DRAFT and XXX + YYY with STAR]
index=mlc_test sourcetype=LAS source=LAS.log MSG_TYPE=* | timechart span=10s max(IN_TRANS), max(XML_PARSE), max(HANDLER) by MSG_TYPE | rename "max(XML_PARSE): CONTRACT" as XML_PARSE | rename "max(XML_PARSE): DRAFT" as XML_PARSE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got the same problem where there are multiple fields which contain basically the same information, i.e. responseTime, but they are named differently for their business function. I don't want to hardcode 20 different renames, but rather have just one, but rename expects an asterisk on both sides of the AS and you still wind up with 20 different names. Coalesce isn't the answer either as I tried that and it has an entirely different behavior (creation of a MV field?)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at field alias http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addaliasestofields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see replace does what I'm looking for inside the field (i.e. the values). I need something like that for the key or field name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you rename the way you are looking to rename, you will lose the grouping by msg_type. Why not just not group by msg_type? In other words modify your search to
index=mlc_test sourcetype=LAS source=LAS.log MSG_TYPE=* | timechart span=10s max(IN_TRANS) as in_trans, max(XML_PARSE) as xml_parse, max(HANDLER) as handler
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
