Solved: Why is SPL receiving error?

BongoNations · ‎01-05-2023

Hi I have this SPL query but getting this error?

Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+.

Any ideas why or how to resolve this please?

| tstats count where index=os earliest=-7d latest=-3h by host, _time span=3h
| stats median(count) as median by host
| join host [| tstats count where index=os earliest=-3h by host]
| eval percentage_diff=((count/median)*100)-100
| where percentage_diff<-5 OR percentage_diff>5
| sort percentage_diff
| rename median as “Median Event Count Past Week”, count as “Event Count of Events Past 3 Hours”, percentage_diff as “Percentage Difference”

BongoNations · ‎01-05-2023

Its ok I saw the problem was due to the character " I copied and pasted from cherry tree into Splunk and Splunk did not like that.. I had to type the " again

View solution in original post

BongoNations · ‎01-05-2023

Its ok I saw the problem was due to the character " I copied and pasted from cherry tree into Splunk and Splunk did not like that.. I had to type the " again

Why is SPL receiving error?

search job inspector

tstats

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off