Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- How to add a space when renaming a field?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p1stolero
Explorer
09-15-2015
05:37 AM
I have a search using Timewrap that compares today against last week for the same week day. I'm having issues with renaming the field "1week_before" so it displays as "Last Tuesday". The search fails with
Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+
any time I try adding a space so the closest I've been able to get is "Last_Tuesday". Is there a way to do this?
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| rename 1week_before as [| stats count | eval tmp=strftime(now(), "%A") | eval str="Last_".tmp | return $str]
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-15-2015
08:10 AM
There are multiple options
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| rename 1week_before as [| stats count | eval tmp=strftime(now(), "%A") | eval str="\"Last ".tmp."\"" | return $str]
OR
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| eval t=strftime(_time,"%A")
| eval "Last {t}"='1week_before' | fields - 1week_before,t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-15-2015
08:10 AM
There are multiple options
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| rename 1week_before as [| stats count | eval tmp=strftime(now(), "%A") | eval str="\"Last ".tmp."\"" | return $str]
OR
earliest="-w@w" latest="+w@w" index="_internal" sourcetype="scheduler"
| timechart span=10m count
| timewrap w
| where strftime(_time,"%A") == strftime(now(), "%A")
| rename latest_week as Today
| eval t=strftime(_time,"%A")
| eval "Last {t}"='1week_before' | fields - 1week_before,t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p1stolero
Explorer
09-15-2015
09:17 AM
Both of your solutions worked perfectly, thank you!
Get Updates on the Splunk Community!
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Shape the Future of Splunk: Join the Product Research Lab!
Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...
