Hello Splunkers,
I am getting an error on the built in dashboards for the Skylight app. The error is
"Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+."
But the syntax is correct. The dashboards use a search macro that I have expanded and made bold in the example below.
My guess was that the field "result._time" did not exist but I get the same error (bad syntax) no matter what field I use. Rename is use by other dashboards I have and it works on those.
Am I missing something or is this an issue with the app?
Here is an example search:
| inputlookup triggered_alerts
**| rename result._time AS result_time,
| eval earliest_time="$earliest$"
| eval earliest_cur=if(earliest_time="0", "-10y@y", "$earliest$")
| eval earliest=round(relative_time(now(), earliest_cur))
| eval latest_time="$latest$"
| eval latest_cur=if(latest_time="now" OR latest_time="", "-0h@h", "$latest$")
| eval latest=round(relative_time(now(), latest_cur))
| where (result_time>=earliest AND result_time<=latest)**
| search severity=*
| stats sparkline count by result.ruleName, result.Source
| sort - count | rename sparkline AS Sparkline, count AS "Total Count"
Thanks for reading,
↧