Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rename command seems to work differently in Splunk 7.2.5.1 vs Splunk 8.0.5.1

chans28
Explorer
‎09-16-2020 03:09 PM

Let me start by saying I know we should be using the coalesce command. I didn't write this query, it has been running fine for a year and it broke after we upgraded to 8.0.5.1. So just making sure I'm not crazy.

Sample CSV

Host_File_1.csv
abc.com,1.1.1.1

Host_File_2.csv
xyz.com,2.2.2.2

Splunk 7.2.5.1..
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
abc.com     1.1.1.1
xyz.com      2.2.2.2

Splunk 8.0.5.1
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
xyz.com      2.2.2.2

abc.com in this case gets overwritten by xyz.com it seems.

 

Anyone know why this is happening?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ivanreis
Builder
‎09-16-2020 11:46 PM

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

View solution in original post

Reply
Solved! Jump to solution
Solution

ivanreis
Builder
‎09-16-2020 11:46 PM

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

Reply
Solved! Jump to solution

chans28
Explorer
‎09-18-2020 11:59 AM

Ah ok do you know when SPL2 was launched?

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...