Re: "As" command modifier not working

grook · ‎05-06-2019

New to Splunk. Trying to use the "as" command modifier to change the name of a column. However, the modifier is not being highlighted or changing the column name.

Here is my SPL string:
sourcetype="access_combined_wcookie" status=200 file="success.do"
| table JSESSIONID as UserSession

pruthvikrishnap · ‎05-06-2019

Hi Grook,
U will have to rename the command prior to |table, such as
| rename JSESSIONID as usersession
and then call it to table

grook · ‎05-06-2019

Like this?

sourcetype="access_combined_wcookie" status=200 file="success.do"
| rename JSESSIONID as UserSessions
| table UserSession

niketn · ‎05-06-2019

Seems typo, field name should match, so if you rename you should use exact field name afterwards.

  | rename JSESSIONID as UserSessions
  | table UserSessions

If you have space or special characters in the field name you should use double quotes. For example

  | rename JSESSIONID as "User Session IDs"
  | table "User Session IDs"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pruthvikrishnap · ‎05-06-2019

yeah did it work?

"As" command modifier not working

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases