Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rename command seems to work differently in Splunk 7.2.5.1 vs Splunk 8.0.5.1

chans28
Explorer
‎09-16-2020 03:09 PM

Let me start by saying I know we should be using the coalesce command. I didn't write this query, it has been running fine for a year and it broke after we upgraded to 8.0.5.1. So just making sure I'm not crazy.

Sample CSV

Host_File_1.csv
abc.com,1.1.1.1

Host_File_2.csv
xyz.com,2.2.2.2

Splunk 7.2.5.1..
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
abc.com     1.1.1.1
xyz.com      2.2.2.2

Splunk 8.0.5.1
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
xyz.com      2.2.2.2

abc.com in this case gets overwritten by xyz.com it seems.

 

Anyone know why this is happening?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ivanreis
Builder
‎09-16-2020 11:46 PM

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

View solution in original post

Reply
Solved! Jump to solution
Solution

ivanreis
Builder
‎09-16-2020 11:46 PM

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

Reply
Solved! Jump to solution

chans28
Explorer
‎09-18-2020 11:59 AM

Ah ok do you know when SPL2 was launched?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Developer Program!

Hey Splunk community!  We are excited to announce that Splunk is launching the Splunk Developer Program in ...

Splunkbase Year in Review 2024

Reflecting on 2024, it’s clear that innovation and collaboration have defined the journey for Splunk ...

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...
Top