Solved: Why is SPL receiving error?

BongoNations · ‎01-05-2023

Hi I have this SPL query but getting this error?

Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+.

Any ideas why or how to resolve this please?

| tstats count where index=os earliest=-7d latest=-3h by host, _time span=3h
| stats median(count) as median by host
| join host [| tstats count where index=os earliest=-3h by host]
| eval percentage_diff=((count/median)*100)-100
| where percentage_diff<-5 OR percentage_diff>5
| sort percentage_diff
| rename median as “Median Event Count Past Week”, count as “Event Count of Events Past 3 Hours”, percentage_diff as “Percentage Difference”

BongoNations · ‎01-05-2023

Its ok I saw the problem was due to the character " I copied and pasted from cherry tree into Splunk and Splunk did not like that.. I had to type the " again

View solution in original post

BongoNations · ‎01-05-2023

Its ok I saw the problem was due to the character " I copied and pasted from cherry tree into Splunk and Splunk did not like that.. I had to type the " again

Why is SPL receiving error?

search job inspector

tstats

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation