Re: "As" command modifier not working

grook · ‎05-06-2019

New to Splunk. Trying to use the "as" command modifier to change the name of a column. However, the modifier is not being highlighted or changing the column name.

Here is my SPL string:
sourcetype="access_combined_wcookie" status=200 file="success.do"
| table JSESSIONID as UserSession

pruthvikrishnap · ‎05-06-2019

Hi Grook,
U will have to rename the command prior to |table, such as
| rename JSESSIONID as usersession
and then call it to table

grook · ‎05-06-2019

Like this?

sourcetype="access_combined_wcookie" status=200 file="success.do"
| rename JSESSIONID as UserSessions
| table UserSession

niketn · ‎05-06-2019

Seems typo, field name should match, so if you rename you should use exact field name afterwards.

  | rename JSESSIONID as UserSessions
  | table UserSessions

If you have space or special characters in the field name you should use double quotes. For example

  | rename JSESSIONID as "User Session IDs"
  | table "User Session IDs"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pruthvikrishnap · ‎05-06-2019

yeah did it work?

"As" command modifier not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation