- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help on a field renaming in a subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
in my csv file I have a field called "host" and in my index a field called "HOSTNAME"
its the same field and I have to rename it in order to be able to match the events
but i dont understand why it works when I am doing this :
[| inputlookup host.csv
| rename host as HOSTNAME ] index=master-data-lookups sourcetype="xx"
| stats count by HOSTNAME
and it doesnt works when I am doing?
[| inputlookup host.csv] index=master-data-lookups sourcetype="xx" | rename HOSTNAME as host
| stats count by host
thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31,
In your first search, you are selecting all entries from your csv file and renaming the field host to HOSTNAME before the comparison with the events from index which has HOSTNAME for the same field i.e HOSTNAME(csv)==HOSTNAME(index
In your second search, you are trying to match host with HOSTNAME and then renaming it after the comparison.
i.e. host(csv)==HOSTNAME(index) which does not work
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31,
In your first search, you are selecting all entries from your csv file and renaming the field host to HOSTNAME before the comparison with the events from index which has HOSTNAME for the same field i.e HOSTNAME(csv)==HOSTNAME(index
In your second search, you are trying to match host with HOSTNAME and then renaming it after the comparison.
i.e. host(csv)==HOSTNAME(index) which does not work
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. so for the second search, is there a way to rename the fields HOSTNAME by host before the comparison?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=master-data-lookups sourcetype="itop:view_splunk_assets" |rename HOSTNAME as host|search [|inputlookup host.csv ]
should work but it might be expensive since it scans through all events and then apply the search for all the host names in the csv file
Instead, you could use the first search and rename HOSTNAME to host as the final step (not sure about the use case though)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks renjith
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
