Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rename command seems to work differently in Splunk 7.2.5.1 vs Splunk 8.0.5.1

chans28
Explorer
‎09-16-2020 03:09 PM

Let me start by saying I know we should be using the coalesce command. I didn't write this query, it has been running fine for a year and it broke after we upgraded to 8.0.5.1. So just making sure I'm not crazy.

Sample CSV

Host_File_1.csv
abc.com,1.1.1.1

Host_File_2.csv
xyz.com,2.2.2.2

Splunk 7.2.5.1..
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
abc.com     1.1.1.1
xyz.com      2.2.2.2

Splunk 8.0.5.1
| inputlookup Host_File_1.csv
| inputlookup Host_File_2.csv append=true
| rename host_file_1_name as hostname
| rename host_file_2_name as hostname
| table hostname, ip

Output
Hostname IP
xyz.com      2.2.2.2

abc.com in this case gets overwritten by xyz.com it seems.

 

Anyone know why this is happening?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ivanreis
Builder
‎09-16-2020 11:46 PM

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

View solution in original post

Reply
Solved! Jump to solution
Solution

ivanreis
Builder
‎09-16-2020 11:46 PM

Hi @chans28 ,

Per my research, the new Splunk version 8.0.5.1 is using SPL2 and according to the document, it is not allowed to "merging multiple fields" into a single one

Attempting to merge multiple fields with a rename is not allowed.

Version Example
SPL ... rename A as B, C as B
SPL2 Not supported
 

For further information, please visit this link
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RenameCommandUsage

Please upvote if the questions is answered.

Reply
Solved! Jump to solution

chans28
Explorer
‎09-18-2020 11:59 AM

Ah ok do you know when SPL2 was launched?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...