Hello - searched, but no answer found.
...| return 10 "Name of Field"
Gives:
Name="" of="" Field=""
I know that I can rename this field, but the goal is to get the actual correct name with spaces as it is used in another sourcetype with the same format.
Any ideas please?
As already said by previous comments, correct solution would be to use spaceless names, but if you cannot change the field name, one workaround would be to add a rename
command before the return
Instead of having
... | return 10 "Name of Field"
You would have
... | rename "Name of Field" as foo | return 10 foo
Can I pass that 10 from a count? I mean say suppose I have this command stats count as count which gives me 10. How I do write the return query->
|return count foo
@kwanx, what is your use case? What are you trying to do? It would be possible for us to suggest alternative if you can share complete SPL.
I do not believe that this can be; even so, it would be best if you didn't.
Best Practice: Do not use field names with spaces.
Even Better Practice: Only use "clean" names:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#Clean_keys
Not sure if it's a bug/limitation/design, but return command only accepts fields with clean names (no spaces). The workaround would be like this
...| head 10 | table "Name of Field" | format
maybe so; that yields:
( ( "Name=\"\" of=\"\" Field=\"\"" ) )
Try this runanywhere search.
| gentimes start=-10 | eval "Name of field"=starttime | table "Name of field" | format
output:
( ( "Name of field"="1503118800" ) OR ( "Name of field"="1503205200" ) OR ( "Name of field"="1503291600" ) OR ( "Name of field"="1503378000" ) OR ( "Name of field"="1503464400" ) OR ( "Name of field"="1503550800" ) OR ( "Name of field"="1503637200" ) OR ( "Name of field"="1503723600" ) OR ( "Name of field"="1503810000" ) OR ( "Name of field"="1503896400" ) )
Have you tried using single quotes around the field name?
yes, simiar results 😕