Splunk Search

Is there a way to copy a field and not rename it?

Motivator

I need to display _time field1 field1 where field 1 and field 1 are the same, however if you try to do this it wont display the second field.
so renaming wont work.

so i need
time field1 field1copy

however i cant seem to find a copy command.

I have tried autoregress taskname AS taskname_n p=1, but i lose one value

0 Karma
1 Solution

Esteemed Legend

Like this:

| eval field1_copy=field1 | table field1 field1_copy

View solution in original post

Esteemed Legend

Like this:

| eval field1_copy=field1 | table field1 field1_copy

View solution in original post

Motivator

cheers 🙂

0 Karma