Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the rename command not working post using fillnull?

AnmolKohli
Explorer
‎12-17-2018 06:34 PM

Can you please help check why below command is not working.

index="app_batch_reports" "] ERROR [" NOT "MessageClient."  | rex field=_raw "Generate Request to Module (?[^ ]+) Failed.+?Error \(Code: (?[^)]+)\): [\"']?(?[^\"']+?)\)?($|\n|\r)" | rex field=_raw "Error \(Code: (?[^)]+)\): (?.+?)($|\n|\r)" | rex field=_raw "ExecutionPersistenceController\.PersistScheduledReportExecution-END(.+?), Error, (?[^\"')]+)" | eval CODE=coalesce(CODE1,CODE2) | fillnull value=NULL |  table CODE |rename CODE as new

CODE field has all values as NULL. When I use rename command, I get no result, and without using it the query works fine. Also, if I change the fieldname from CODE to anything else, the query works fine with rename as well.

Tags (3)
0 Karma
Reply

niketn
Legend
‎12-17-2018 09:23 PM

@AnmolKohli add the fieldname CODE to the fillnull command i.e. | fillnull value="NULL" CODE and confirm.
Following is a run anywhere example on similar lines for testing:

| makeresults count=10
| fillnull value="NULL" CODE
| table CODE
| rename CODE as new
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...