Splunk Search

Is there a way to copy a field and not rename it?

Motivator

I need to display _time field1 field1 where field 1 and field 1 are the same, however if you try to do this it wont display the second field.
so renaming wont work.

so i need
_time field1 field1_copy

however i cant seem to find a copy command.

I have tried autoregress task_name AS task_name_n p=1, but i lose one value

0 Karma
1 Solution

Esteemed Legend

Like this:

| eval field1_copy=field1 | table field1 field1_copy

View solution in original post

Esteemed Legend

Like this:

| eval field1_copy=field1 | table field1 field1_copy

View solution in original post

Motivator

cheers 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!