Splunk Cloud Platform

Rename a wildcard token in the spl search which used rename command

singh_1234567
Loves-to-Learn Lots

Hi Team,

We have created a dashboard and passing the device number from the form input token to the dashboard panel, it works properly when passing the device number but when we pass (*) wildcard character, we get an error message " Error in 'rename' command: Wildcard mismatch", when we use the rename command like this "rename abc* as mcd* it show the number of columns for all the device number. However, we want to show only 5 columns

For example : We get correct data when we pass the device number but when we pass * wildcard character it increases the device numbers columns

 

TimeDevice_NumberRouter_ModelRouter_Name
10.30abc123ABC1234Cisco123
11.30abc123DEF1234Cisco1234
12.30abc123EFG1234Cisco567
 1.30abc123CDE1234Cisco789

 

 When passing wildcard character in the query:

Timeabc123_Device_Numberdef123_Device_Numberghi123_Device_Numberabc123_Router_Modeldef123_Router_Modelghi123_Router_Modelabc123_Router_Namedef123_Router_Nameghi_Router_Name
10.30abc123def123ghi123ABC1234NCFMM_CiscoAGBDVDMM_CiscoCiscoNetgearNetgear
11.30abc123def123ghi123CDE3434NCFMM_CiscoAGACJJBCJM_CiscoNetgearNetgearNetgear
12.30abc123def123ghi123GHI1233NCFNNM_CiscoAGAGDNM_CiscoCiscoNetgearNetgear
1.30abc123def123ghi123LEF1232NCDDMM_CiscoAGABDBDMM_CiscoCiscoCiscoCisco
2.30abc123def123ghi123HDDF112NCDDM_CiscoAGAGBBM_CiscoNetgearNetgearNetgear

 

when passing wildcard character from the token then using in the rename increases the columns, when normally passing token without wildcard it is proper, can we wildcard in such a way that columns count don't increase. 

 

Thanks in advance for the help!

 

Labels (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

when you pass value with wildcard from form input then wildcard might match more than one field. all fields will have different set of values. your requirement is to rename matching fields to one field. what about values of more than one matching field, which field values would you want to display. for example, if you want to sum matched field1,field2,field3 from field* then that is possible ( I have just given example).

————————————
If this helps, give a like below.
0 Karma

singh_1234567
Loves-to-Learn Lots

I want all the values of the field to display in under one common fields instead of having multiple fields.

Here is an example to help you understand better.

Timeabc123_Device_NumberRouter_ModelRouter_Name
10.30abc123ABC1234Cisco
11.30abc123CDE3434Netgear
12.30abc123GHI1233Cisco
1.30abc123LEF1232Cisco
2.30abc123HDDF112Netgear
3.30def123NCFMM_CiscoNCFMM_Cisco
4.30def123NCFMM_CiscoNCFMM_Cisco
5.30def123NCFNNM_CiscoNCFNNM_Cisco
6.30def123NCDDMM_CiscoNCDDMM_Cisco
7.30def123NCDDM_CiscoNCDDM_Cisco

 

0 Karma

thambisetty
SplunkTrust
SplunkTrust

if you rename multiple matched fields to one field then what about values of multiple fields renamed to one?

I believe you should use token starting of the search to format the results the way you want rather just renaming at the end.

————————————
If this helps, give a like below.
0 Karma

singh_1234567
Loves-to-Learn Lots

I didn't get it.

We are passing token through  form input text, when passing values it works fine but when passing wildcard character there is an issue. We want to have the same format.

 

 

 

 

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Obviously you will see more matches when you use wildcard. make sure you get relevant fields when you use wild card.  if you need more help, post you query here and explain more.

————————————
If this helps, give a like below.
0 Karma

singh_1234567
Loves-to-Learn Lots

We don't need more columns.

Here is a sample query:

index=abc_test sourcetype="tomcatlog"
| rex "\"(?<deviceSN>[-\w]*)\" max_match=20
| rex "(?<json1>{.*})"
| spath input=jsontest
| eval time=strftime(_time,"%F %T.%3N %Z")
| sort 0 - _time
| rename number.$tokenvalue$.setting.fields{}.test{}.x AS test_x numbers.$tokenvalue$.setting.fields{}.test{}.y AS test_y router.$tokenvalue$.fields.names.areas{}.area AS areas_a router.$tokenvalue$.fields.settings.router{}.model AS model_a

 

It works fine when passing the serial number but it doesn't work when passing wildcard character.

So we had to format the rename command using wildcard but it increases the columns but we want the columns to remain intact

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...