Splunk Search

rename command seems to work differently in Splunk 7.2.5.1 vs Splunk 8.0.5.1

chans28
Explorer

Let me start by saying I know we should be using the coalesce command. I didn't write this query, it has been running fine for a year and it broke after we upgraded to 8.0.5.1. So just making sure I'm not crazy.

Sample CSV

Host_File_1.csv
abc.com,1.1.1.1

Host_File_2.csv
xyz.com,2.2.2.2

Splunk 7.2.5.1..
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
abc.com     1.1.1.1
xyz.com      2.2.2.2

Splunk 8.0.5.1
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
xyz.com      2.2.2.2

abc.com in this case gets overwritten by xyz.com it seems.

 

Anyone know why this is happening?

Labels (1)
Tags (2)
0 Karma
1 Solution

ivanreis
Builder

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

View solution in original post

ivanreis
Builder

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

chans28
Explorer

Ah ok do you know when SPL2 was launched?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...