https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465857#M131206 <P>This only shows Red Hat results for some reason</P> Thu, 29 Aug 2019 16:04:24 GMT payton_tayvion 2019-08-29T16:04:24Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465853#M131202 <P>I'm currently creating a list that lists top 10 technologies and I'm trying to rename "Red" as "Red Hat" using the rename command.<BR /> Here's the query:</P> <PRE><CODE>| tstats summariesonly=f dc(Vulnerabilities.signature) as count from datamodel="Vulnerabilitiesv3" where (nodename="Vulnerabilities" (Vulnerabilities.severity!=informational Vulnerabilities.severity!=unknown) Vulnerabilities.dest_bunit IN (*) Vulnerabilities.property IN (*) ) by Vulnerabilities.dest, Vulnerabilities.signature, Vulnerabilities.point_of_contact, Vulnerabilities.solution | rename Vulnerabilities.* AS * | rename signature as sig | lookup workday.csv shortid as point_of_contact output l1, l2,l3,l4 | search (l1="*" OR l2="*" OR l3="*" OR l4="*") | fields - point_of_contact | rex field=sig "^(?&lt;Technology&gt;[^\W]++)" | stats sum(count) as count by Technology | sort- count | head 10 | rename Red as "Red Hat" </CODE></PRE> <P>This is the results:</P> <PRE><CODE>Technology count RHEL 6906424 Oracle 1507478 CentOS 402534 Network 186231 Ubuntu 129319 Red 109693 </CODE></PRE> Thu, 29 Aug 2019 14:41:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465853#M131202 payton_tayvion 2019-08-29T14:41:03Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465854#M131203 <P>you can rename technology as something else or count as say counts , to achieve this<BR /> try<BR /> |eval Technology=case(Technology="Red","Red Hat")</P> Thu, 29 Aug 2019 15:11:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465854#M131203 Sukisen1981 2019-08-29T15:11:53Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465855#M131204 <P>try this :</P> <PRE><CODE>| tstats summariesonly=f dc(Vulnerabilities.signature) as count from datamodel="Vulnerabilitiesv3" where (nodename="Vulnerabilities" (Vulnerabilities.severity!=informational Vulnerabilities.severity!=unknown) Vulnerabilities.dest_bunit IN (*) Vulnerabilities.property IN (*) ) by Vulnerabilities.dest, Vulnerabilities.signature, Vulnerabilities.point_of_contact, Vulnerabilities.solution | rename Vulnerabilities.* AS * | rename signature as sig | lookup workday.csv shortid as point_of_contact output l1, l2,l3,l4 | search (l1="*" OR l2="*" OR l3="*" OR l4="*") | fields - point_of_contact | rex field=sig "^(?&lt;Technology&gt;[^\W]++)" | stats sum(count) as count by Technology | sort- count | head 10 | replace Red WITH "Red Hat" IN Technology </CODE></PRE> <P>let me know if this helps!</P> Thu, 29 Aug 2019 15:14:31 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465855#M131204 mayurr98 2019-08-29T15:14:31Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465856#M131205 <P>You are using the wrong command. The <CODE>rename</CODE> command is for field <CODE>names</CODE> whereas the <CODE>replace</CODE> command is for field <CODE>values</CODE>. You need the latter.</P> Thu, 29 Aug 2019 15:28:35 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465856#M131205 woodcock 2019-08-29T15:28:35Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465857#M131206 <P>This only shows Red Hat results for some reason</P> Thu, 29 Aug 2019 16:04:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-the-rename-command-not-renaming-fields/m-p/465857#M131206 payton_tayvion 2019-08-29T16:04:24Z