Why is the rename command not working post using f...

AnmolKohli · ‎12-17-2018

Can you please help check why below command is not working.

index="app_batch_reports" "] ERROR [" NOT "MessageClient."  | rex field=_raw "Generate Request to Module (?[^ ]+) Failed.+?Error \(Code: (?[^)]+)\): [\"']?(?[^\"']+?)\)?($|\n|\r)" | rex field=_raw "Error \(Code: (?[^)]+)\): (?.+?)($|\n|\r)" | rex field=_raw "ExecutionPersistenceController\.PersistScheduledReportExecution-END(.+?), Error, (?[^\"')]+)" | eval CODE=coalesce(CODE1,CODE2) | fillnull value=NULL |  table CODE |rename CODE as new

CODE field has all values as NULL. When I use rename command, I get no result, and without using it the query works fine. Also, if I change the fieldname from CODE to anything else, the query works fine with rename as well.

niketn · ‎12-17-2018

@AnmolKohli add the fieldname CODE to the fillnull command i.e. | fillnull value="NULL" CODE and confirm.
Following is a run anywhere example on similar lines for testing:

| makeresults count=10
| fillnull value="NULL" CODE
| table CODE
| rename CODE as new

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Why is the rename command not working post using fillnull?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation