https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300692#M175022 <P>Good morning,</P> <P>This must be really simple. I have the query:</P> <P>index=[my index] sourcetype=[my sourcetype] event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" by user|sort -Count</P> <P>I want to rename the user column to "User". I'm particular and like my words/heading capitalized. I've tried:</P> <P>index=[my index] sourcetype=[my sourcetype] event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" values(user) as User by User|sort -Count</P> <P>I get the following error:</P> <P>Error in 'stats' command: The output field 'User' cannot have the same name as a group-by field.</P> <P>I've tried some other things as well and no luck. The closest I got was </P> <P>index=[my index] sourcetype=[my sourcetype] event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" values(user) as User by user|sort -Count</P> <P>and that created two columns with the same data (user and User). I suppose I could delete the "user" column from the final output. Any suggestions? Thanks.</P> Mon, 03 Apr 2017 15:27:53 GMT SplunkLunk 2017-04-03T15:27:53Z https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300692#M175022 <P>Good morning,</P> <P>This must be really simple. I have the query:</P> <P>index=[my index] sourcetype=[my sourcetype] event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" by user|sort -Count</P> <P>I want to rename the user column to "User". I'm particular and like my words/heading capitalized. I've tried:</P> <P>index=[my index] sourcetype=[my sourcetype] event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" values(user) as User by User|sort -Count</P> <P>I get the following error:</P> <P>Error in 'stats' command: The output field 'User' cannot have the same name as a group-by field.</P> <P>I've tried some other things as well and no luck. The closest I got was </P> <P>index=[my index] sourcetype=[my sourcetype] event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" values(user) as User by user|sort -Count</P> <P>and that created two columns with the same data (user and User). I suppose I could delete the "user" column from the final output. Any suggestions? Thanks.</P> Mon, 03 Apr 2017 15:27:53 GMT https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300692#M175022 SplunkLunk 2017-04-03T15:27:53Z https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300693#M175023 <P>try this one..</P> <P>index=[my index] sourcetype=[my sourcetype] event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" by user|sort -Count|rename user as User</P> Mon, 03 Apr 2017 15:31:28 GMT https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300693#M175023 kiran331 2017-04-03T15:31:28Z https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300694#M175024 <P>I'm surprised that splunk let you do that last one. At one point the search manual says you CANT use a <CODE>group by</CODE> field as one of the <CODE>stats</CODE> fields, and gives an example of creating a second field with <CODE>eval</CODE> in order to make that work. </P> <P>KIran331's answer is correct, just use the rename command after the stats command runs. (... Or before, that works as well.)</P> Mon, 03 Apr 2017 15:37:34 GMT https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300694#M175024 DalJeanis 2017-04-03T15:37:34Z https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300695#M175025 <P>You can pipe a table after your stats and then rename your table fields:<BR /> base_search | stats count by field1,field2| table field1 field2 count | rename field1 as NewFieldName1</P> Mon, 03 Apr 2017 15:40:49 GMT https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300695#M175025 gehinger 2017-04-03T15:40:49Z https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300696#M175026 <P>Thanks. I figured I'd be able to do it within the stats function. I should have tried rename after sort. Thanks again.</P> Mon, 03 Apr 2017 15:47:11 GMT https://community.splunk.com/t5/Splunk-Search/Rename-a-Column-When-Using-Stats-Function/m-p/300696#M175026 SplunkLunk 2017-04-03T15:47:11Z