All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Skylight app for Splunk - Rename syntax error?

eliasit
Path Finder
‎10-01-2019 07:17 AM

Hello Splunkers,
I am getting an error on the built in dashboards for the Skylight app. The error is
"Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+."
But the syntax is correct. The dashboards use a search macro that I have expanded and made bold in the example below.
My guess was that the field "result._time" did not exist but I get the same error (bad syntax) no matter what field I use. Rename is use by other dashboards I have and it works on those.

Am I missing something or is this an issue with the app?

Here is an example search:
| inputlookup triggered_alerts
| rename result._time AS result_time,
| eval earliest_time="$earliest$"
| eval earliest_cur=if(earliest_time="0", "-10y@y", "$earliest$")
| eval earliest=round(relative_time(now(), earliest_cur))
| eval latest_time="$latest$"
| eval latest_cur=if(latest_time="now" OR latest_time="", "-0h@h", "$latest$")
| eval latest=round(relative_time(now(), latest_cur))
| where (result_time>=earliest AND result_time<=latest)
| search severity=*
| stats sparkline count by result.ruleName, result.Source
| sort - count | rename sparkline AS Sparkline, count AS "Total Count"

Thanks for reading,

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...