hello
in my csv file I have a field called "host" and in my index a field called "HOSTNAME"
its the same field and I have to rename it in order to be able to match the events
but i dont understand why it works when I am doing this :
[| inputlookup host.csv
| rename host as HOSTNAME ] index=master-data-lookups sourcetype="itop:view_splunk_assets"
| stats count by HOSTNAME
and it doesnt works when I am doing?
[| inputlookup host.csv] index=master-data-lookups sourcetype="itop:view_splunk_assets" | rename HOSTNAME as host
| stats count by host
thanks for your help
↧