Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- How to add a space when renaming a field?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p1stolero
Explorer
09-15-2015
05:37 AM
I have a search using Timewrap that compares today against last week for the same week day. I'm having issues with renaming the field "1week_before" so it displays as "Last Tuesday". The search fails with
Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+
any time I try adding a space so the closest I've been able to get is "Last_Tuesday". Is there a way to do this?
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| rename 1week_before as [| stats count | eval tmp=strftime(now(), "%A") | eval str="Last_".tmp | return $str]
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-15-2015
08:10 AM
There are multiple options
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| rename 1week_before as [| stats count | eval tmp=strftime(now(), "%A") | eval str="\"Last ".tmp."\"" | return $str]
OR
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| eval t=strftime(_time,"%A")
| eval "Last {t}"='1week_before' | fields - 1week_before,t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-15-2015
08:10 AM
There are multiple options
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| rename 1week_before as [| stats count | eval tmp=strftime(now(), "%A") | eval str="\"Last ".tmp."\"" | return $str]
OR
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| eval t=strftime(_time,"%A")
| eval "Last {t}"='1week_before' | fields - 1week_before,t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p1stolero
Explorer
09-15-2015
09:17 AM
Both of your solutions worked perfectly, thank you!
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
