Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on a field renaming in a subsearch

jip31
Motivator
‎09-02-2019 06:15 AM

hello

in my csv file I have a field called "host" and in my index a field called "HOSTNAME"
its the same field and I have to rename it in order to be able to match the events
but i dont understand why it works when I am doing this :

[| inputlookup host.csv 
    | rename host as HOSTNAME ] index=master-data-lookups sourcetype="xx" 
| stats count by HOSTNAME

and it doesnt works when I am doing?

    [| inputlookup host.csv] index=master-data-lookups sourcetype="xx" | rename HOSTNAME as host
    | stats count by host

thanks for your help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-02-2019 06:35 AM

@jip31,

In your first search, you are selecting all entries from your csv file and renaming the field host to HOSTNAME before the comparison with the events from index which has HOSTNAME for the same field i.e HOSTNAME(csv)==HOSTNAME(index

In your second search, you are trying to match host with HOSTNAME and then renaming it after the comparison.
i.e. host(csv)==HOSTNAME(index) which does not work

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-02-2019 06:35 AM

@jip31,

In your first search, you are selecting all entries from your csv file and renaming the field host to HOSTNAME before the comparison with the events from index which has HOSTNAME for the same field i.e HOSTNAME(csv)==HOSTNAME(index

In your second search, you are trying to match host with HOSTNAME and then renaming it after the comparison.
i.e. host(csv)==HOSTNAME(index) which does not work

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-02-2019 06:41 AM

OK. so for the second search, is there a way to rename the fields HOSTNAME by host before the comparison?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-02-2019 07:21 AM 
   index=master-data-lookups sourcetype="itop:view_splunk_assets" |rename HOSTNAME as host|search [|inputlookup host.csv ]

should work but it might be expensive since it scans through all events and then apply the search for all the host names in the csv file

Instead, you could use the first search and rename HOSTNAME to host as the final step (not sure about the use case though)

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-02-2019 08:46 AM

Thanks renjith

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...