rename field with *

secure · ‎01-29-2025

Hi

i have a field with name

server_*_count. the * is coming from an input dropdown ALL where value is *

how can i rename it to server_ALL_count

|rename server_*_count as server_ALL_count

its giving me an error cannot be renamed because of asterix (wildcard)

secure · ‎01-29-2025

@bowesmana

here is the dropdown ALL value = *

in the query

so when selected all it comes as server_*_count

yuanliu · ‎01-29-2025

Like @bowesmana says

but do you really need the $env$ in the field name?

Wouldn't

| stats dc(hostname) by host_environment

make more sense in a dashboard?

bowesmana · ‎01-29-2025

OK, so it's getting created in the stats command. So don't use that technique. Do something like

| stats dc(hostname) as server_count
| eval n=if($env|s$="*", "ALL", $env|s$)
| eval server_{n}_count=server_count
| fields - server_count

but do you really need the $env$ in the field name? Is this dashboard studio - you can probably assign an additional token $env_name$ based on the selected NAME of the environment rather than the token value. I'm not familiar enough with DS to say how to do this, but you can then use $env$ as the search constraint and $env_name$ as the server name.

bowesmana · ‎01-29-2025

You can't rename it like that - how does that field exist? Is it actually in the data or is it created somehow.

Can you post the dropdown where that field is created?

rename field with *

fields

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

rename field with *

fields

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!