Solved: Why is SPL receiving error?

BongoNations · ‎01-05-2023

Hi I have this SPL query but getting this error?

Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+.

Any ideas why or how to resolve this please?

| tstats count where index=os earliest=-7d latest=-3h by host, _time span=3h
| stats median(count) as median by host
| join host [| tstats count where index=os earliest=-3h by host]
| eval percentage_diff=((count/median)*100)-100
| where percentage_diff<-5 OR percentage_diff>5
| sort percentage_diff
| rename median as “Median Event Count Past Week”, count as “Event Count of Events Past 3 Hours”, percentage_diff as “Percentage Difference”

BongoNations · ‎01-05-2023

Its ok I saw the problem was due to the character " I copied and pasted from cherry tree into Splunk and Splunk did not like that.. I had to type the " again

View solution in original post

BongoNations · ‎01-05-2023

Its ok I saw the problem was due to the character " I copied and pasted from cherry tree into Splunk and Splunk did not like that.. I had to type the " again

Why is SPL receiving error?

search job inspector

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation