topic Re: Renaming fields in a table without changing column order in Splunk Search

How to rename fields in a table without changing column order?

bowesmana — Tue, 17 Jan 2023 20:26:32 GMT

Any suggestions on how to rename fields and keep those fields in their stated table order.

I have a bunch of fields that are attributes that are named is_XXX. I want all those fields to be on the right hand side of the table, so if I do

<search> | foreach is_* [ eval "zz_<<MATCHSTR>>"=if(<<FIELD>>=1,"","")] | fields - is_* | table entity entity_type *

it works nicely and puts the first two named fields as the first two columns, then other fields then all the zz_* fields.

However, as soon as I add

| rename zz_* as *

it changes the order and sorts all the columns (apart from the first named two) into alphabetical order.

Any specifically named fields I add after entity_type persist the column order but all fields output as a result of the wildcard lose their order after the rename.

Re: Renaming fields in a table without changing column order

ITWhisperer — Tue, 17 Jan 2023 09:09:27 GMT

transpose, alter the values in the field names column, transpose back again

Re: Renaming fields in a table without changing column order

bowesmana — Tue, 17 Jan 2023 22:52:35 GMT

Yup, that worked - I've always wondered about the performance of a transpose with a large dataset. I imagine under the hood it could be pretty efficient. Probably need to do some performance comparisons with it to see if it's a practical solution for big sets.

Thanks!

Re: Renaming fields in a table without changing column order

bowesmana — Tue, 17 Jan 2023 22:58:25 GMT

@ITWhisperer

FYI: transpose 0 with large row count won't work

without the transpose it creates the million rows quickly, but the transpose just dies - been running for a while now...

Anyway, the solution works for my use case.