Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on a field renaming in a subsearch

jip31
Motivator
‎09-02-2019 06:15 AM

hello

in my csv file I have a field called "host" and in my index a field called "HOSTNAME"
its the same field and I have to rename it in order to be able to match the events
but i dont understand why it works when I am doing this :

[| inputlookup host.csv 
    | rename host as HOSTNAME ] index=master-data-lookups sourcetype="xx" 
| stats count by HOSTNAME

and it doesnt works when I am doing?

    [| inputlookup host.csv] index=master-data-lookups sourcetype="xx" | rename HOSTNAME as host
    | stats count by host

thanks for your help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎09-02-2019 06:35 AM

@jip31,

In your first search, you are selecting all entries from your csv file and renaming the field host to HOSTNAME before the comparison with the events from index which has HOSTNAME for the same field i.e HOSTNAME(csv)==HOSTNAME(index

In your second search, you are trying to match host with HOSTNAME and then renaming it after the comparison.
i.e. host(csv)==HOSTNAME(index) which does not work

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎09-02-2019 06:35 AM

@jip31,

In your first search, you are selecting all entries from your csv file and renaming the field host to HOSTNAME before the comparison with the events from index which has HOSTNAME for the same field i.e HOSTNAME(csv)==HOSTNAME(index

In your second search, you are trying to match host with HOSTNAME and then renaming it after the comparison.
i.e. host(csv)==HOSTNAME(index) which does not work

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-02-2019 06:41 AM

OK. so for the second search, is there a way to rename the fields HOSTNAME by host before the comparison?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
SplunkTrust
SplunkTrust
‎09-02-2019 07:21 AM 
   index=master-data-lookups sourcetype="itop:view_splunk_assets" |rename HOSTNAME as host|search [|inputlookup host.csv ]

should work but it might be expensive since it scans through all events and then apply the search for all the host names in the csv file

Instead, you could use the first search and rename HOSTNAME to host as the final step (not sure about the use case though)

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-02-2019 08:46 AM

Thanks renjith

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...