Why is the rename command not working post using f...

AnmolKohli · ‎12-17-2018

Can you please help check why below command is not working.

index="app_batch_reports" "] ERROR [" NOT "MessageClient."  | rex field=_raw "Generate Request to Module (?[^ ]+) Failed.+?Error \(Code: (?[^)]+)\): [\"']?(?[^\"']+?)\)?($|\n|\r)" | rex field=_raw "Error \(Code: (?[^)]+)\): (?.+?)($|\n|\r)" | rex field=_raw "ExecutionPersistenceController\.PersistScheduledReportExecution-END(.+?), Error, (?[^\"')]+)" | eval CODE=coalesce(CODE1,CODE2) | fillnull value=NULL |  table CODE |rename CODE as new

CODE field has all values as NULL. When I use rename command, I get no result, and without using it the query works fine. Also, if I change the fieldname from CODE to anything else, the query works fine with rename as well.

niketn · ‎12-17-2018

@AnmolKohli add the fieldname CODE to the fillnull command i.e. | fillnull value="NULL" CODE and confirm.
Following is a run anywhere example on similar lines for testing:

| makeresults count=10
| fillnull value="NULL" CODE
| table CODE
| rename CODE as new

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Why is the rename command not working post using fillnull?

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Why is the rename command not working post using fillnull?

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!