Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the rename command not working post using fillnull?

AnmolKohli
Explorer
‎12-17-2018 06:34 PM

Can you please help check why below command is not working.

index="app_batch_reports" "] ERROR [" NOT "MessageClient."  | rex field=_raw "Generate Request to Module (?[^ ]+) Failed.+?Error \(Code: (?[^)]+)\): [\"']?(?[^\"']+?)\)?($|\n|\r)" | rex field=_raw "Error \(Code: (?[^)]+)\): (?.+?)($|\n|\r)" | rex field=_raw "ExecutionPersistenceController\.PersistScheduledReportExecution-END(.+?), Error, (?[^\"')]+)" | eval CODE=coalesce(CODE1,CODE2) | fillnull value=NULL |  table CODE |rename CODE as new

CODE field has all values as NULL. When I use rename command, I get no result, and without using it the query works fine. Also, if I change the fieldname from CODE to anything else, the query works fine with rename as well.

Tags (3)
0 Karma
Reply

niketn
Legend
‎12-17-2018 09:23 PM

@AnmolKohli add the fieldname CODE to the fillnull command i.e. | fillnull value="NULL" CODE and confirm.
Following is a run anywhere example on similar lines for testing:

| makeresults count=10
| fillnull value="NULL" CODE
| table CODE
| rename CODE as new
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...