Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rename field with *

secure
Path Finder
‎01-29-2025 01:16 PM

Hi 

i have a field with name 

server_*_count. the * is coming from an input dropdown ALL where value is * 

how can i rename it to server_ALL_count

|rename server_*_count as server_ALL_count

its giving me an error cannot be renamed because of asterix (wildcard)

Labels (1)
Labels
Tags (1)
0 Karma
Reply

secure
Path Finder
‎01-29-2025 01:35 PM

@bowesmana 

here is the dropdown ALL value = * 

secure_0-1738186419172.png

in the query 

secure_2-1738186509556.png

so when selected all it comes as server_*_count

 

 

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-29-2025 07:46 PM

Like @bowesmana says

but do you really need the $env$ in the field name?

Wouldn't 

| stats dc(hostname) by host_environment

make more sense in a dashboard? 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-29-2025 01:43 PM

OK, so it's getting created in the stats command. So don't use that technique. Do something like

| stats dc(hostname) as server_count
| eval n=if($env|s$="*", "ALL", $env|s$)
| eval server_{n}_count=server_count
| fields - server_count

but do you really need the $env$ in the field name? Is this dashboard studio - you can probably assign an additional token $env_name$ based on the selected NAME of the environment rather than the token value. I'm not familiar enough with DS to say how to do this, but you can then use $env$ as the search constraint and $env_name$ as the server name.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-29-2025 01:29 PM

You can't rename it like that - how does that field exist? Is it actually in the data or is it created somehow.

Can you post the dropdown where that field is created?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...