Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rename command seems to work differently in Splunk 7.2.5.1 vs Splunk 8.0.5.1

chans28
Explorer
‎09-16-2020 03:09 PM

Let me start by saying I know we should be using the coalesce command. I didn't write this query, it has been running fine for a year and it broke after we upgraded to 8.0.5.1. So just making sure I'm not crazy.

Sample CSV

Host_File_1.csv
abc.com,1.1.1.1

Host_File_2.csv
xyz.com,2.2.2.2

Splunk 7.2.5.1..
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
abc.com     1.1.1.1
xyz.com      2.2.2.2

Splunk 8.0.5.1
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
xyz.com      2.2.2.2

abc.com in this case gets overwritten by xyz.com it seems.

 

Anyone know why this is happening?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ivanreis
Builder
‎09-16-2020 11:46 PM

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

View solution in original post

Reply
Solved! Jump to solution
Solution

ivanreis
Builder
‎09-16-2020 11:46 PM

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

Reply
Solved! Jump to solution

chans28
Explorer
‎09-18-2020 11:59 AM

Ah ok do you know when SPL2 was launched?

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...