- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to rename field with * inside like: Service*
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I need to rename a field name (from lookup csv) with special character inside, like:
Service*
Status+
the problem is the: *
inputlookup file.csv | rename "Service*" as service
... does not work. how can i tell splunk to ignore the * as "wildcard"?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats count
| rename count as "Status*"
| eval status='Status*'
| fields status
Hi, this is sample query.
| inputlookup file.csv
| eval service='Service*'
| fields - Service*
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try the below.
inputlookup file.csv | rename 'Service*' as service
Instead of using '' please use '
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you
| rename 'Service*' as service
does not work.
the solution at the end (thanks to to4kawa) is:
|inputlookup report.csv
| rename count as "Status*"
| eval status='Status*'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats count
| rename count as "Status*"
| eval status='Status*'
| fields status
Hi, this is sample query.
| inputlookup file.csv
| eval service='Service*'
| fields - Service*
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you so much to4kawa!
this helps:
|inputlookup report.csv
| rename count as "Status*"
| eval status='Status*'
have a good day and thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
at the end, this works fine:
|inputlookup report.csv
| rename count as "Status*"
| eval status='Status*'
thank you so much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your welcome, Happy Splunking.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you just need to change the column name, look at installing the Lookup Editor https://splunkbase.splunk.com/app/1724/. If the lookup is larger than 10 mb and you don't need the field names, I would just re-upload the lookup with the fields you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you - i can just upload the report as "user" - in settings/lookups - therefore not able to rename column during import (like when splunk is locally installed).
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
