topic Re: help on a field renaming in a subsearch in Splunk Search

help on a field renaming in a subsearch

jip31 — Mon, 02 Sep 2019 13:15:21 GMT

hello

in my csv file I have a field called "host" and in my index a field called "HOSTNAME"
its the same field and I have to rename it in order to be able to match the events
but i dont understand why it works when I am doing this :

[| inputlookup host.csv 
    | rename host as HOSTNAME ] index=master-data-lookups sourcetype="xx" 
| stats count by HOSTNAME

and it doesnt works when I am doing?

    [| inputlookup host.csv] index=master-data-lookups sourcetype="xx" | rename HOSTNAME as host
    | stats count by host

thanks for your help

Re: help on a field renaming in a subsearch

renjith_nair — Mon, 02 Sep 2019 13:35:32 GMT

@jip31,

In your first search, you are selecting all entries from your csv file and renaming the field host to HOSTNAME before the comparison with the events from index which has HOSTNAME for the same field i.e HOSTNAME(csv)==HOSTNAME(index

In your second search, you are trying to match host with HOSTNAME and then renaming it after the comparison.
i.e. host(csv)==HOSTNAME(index) which does not work

Re: help on a field renaming in a subsearch

jip31 — Mon, 02 Sep 2019 13:41:36 GMT

OK. so for the second search, is there a way to rename the fields HOSTNAME by host before the comparison?

Re: help on a field renaming in a subsearch

renjith_nair — Mon, 02 Sep 2019 14:21:43 GMT

   index=master-data-lookups sourcetype="itop:view_splunk_assets" |rename HOSTNAME as host|search [|inputlookup host.csv ]

should work but it might be expensive since it scans through all events and then apply the search for all the host names in the csv file

Instead, you could use the first search and rename HOSTNAME to host as the final step (not sure about the use case though)

Re: help on a field renaming in a subsearch

jip31 — Mon, 02 Sep 2019 15:46:45 GMT

Thanks renjith