I notice Splunk uses the first Word when using stats, so I need to rename the fields to single words or connected words.
I am trying to remove spaces in field names and use the new name to be used in drop-downs and timecharts. Till now, I've been unable to perform this. Following is a drop-down menu where
I only want unique City Names. I would also want to use the new names in stats.
source=location sourcetype=location_data
| search * "Current City"
| dedup "Current City"
| sort "Current City"
| rename "Current City" as City
| rename "Current State" as State
| rename "Current Location" as Location
| fields City
OK, so the problem is not that your field name
has spaces but rather that your field value
does. So you do not need rename
, you need something else. Try using this (early in your command chain):
... | rex field="Current City" mode=sed "s/ /_/g"
OK, so the problem is not that your field name
has spaces but rather that your field value
does. So you do not need rename
, you need something else. Try using this (early in your command chain):
... | rex field="Current City" mode=sed "s/ /_/g"
Excellent this works, is it possible to do the same thing without removing spaces ? Keeping column values as it is ?
Yes, you can protect your values by surrounding the field name references with double-quotes or dollar-signs. It all depends on your actual XML and search.