https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227325#M67143 <P>I have a search that gives me a number of columns in the stats field. </P> <P>max(col1) max(col2) ...<BR /> 1 2 <BR /> ...</P> <P>Can I replace the brackets in the column/field names with underscore?</P> <P>max_col1_ max_col2_ ...<BR /> 1 2 <BR /> ...</P> <P>I have looked at <A href="http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/Replace" target="_blank">replace</A> but that seems to work on the values in the field as opposed to the fieldname.<BR /> I am looking for a generic way to do it as apposed to go through each field.</P> Tue, 29 Sep 2020 08:57:30 GMT HattrickNZ 2020-09-29T08:57:30Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227325#M67143 <P>I have a search that gives me a number of columns in the stats field. </P> <P>max(col1) max(col2) ...<BR /> 1 2 <BR /> ...</P> <P>Can I replace the brackets in the column/field names with underscore?</P> <P>max_col1_ max_col2_ ...<BR /> 1 2 <BR /> ...</P> <P>I have looked at <A href="http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/Replace" target="_blank">replace</A> but that seems to work on the values in the field as opposed to the fieldname.<BR /> I am looking for a generic way to do it as apposed to go through each field.</P> Tue, 29 Sep 2020 08:57:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227325#M67143 HattrickNZ 2020-09-29T08:57:30Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227326#M67144 <P>Hi HattrickNZ,</P> <P>in your <CODE>stats</CODE> command you can provide names for the result:</P> <PRE><CODE> your base search here | stats max(col1) AS max_col1 max(col2) AS max_col2 </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 02 Mar 2016 20:43:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227326#M67144 MuS 2016-03-02T20:43:10Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227327#M67145 <P>tks Mus, sorry should have said, was looking for a more generic way. I am familliar with that method.</P> Wed, 02 Mar 2016 21:01:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227327#M67145 HattrickNZ 2016-03-02T21:01:05Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227328#M67146 <P>You can use the rename command with wildcard.</P> <PRE><CODE>your current search giving column names max(col1) max(col2)... etc | rename max(*) as max_* </CODE></PRE> Wed, 02 Mar 2016 21:05:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227328#M67146 somesoni2 2016-03-02T21:05:54Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227329#M67147 <P>I reckon you should rephrase your question in this case; so we understand what you're looking for and also provide your search string.</P> Wed, 02 Mar 2016 21:07:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227329#M67147 MuS 2016-03-02T21:07:08Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227330#M67148 <P>@MuS's solution is what the most optimum and recommended one (get the correct column name while generating columns).</P> Wed, 02 Mar 2016 21:26:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-multiple-column-field-names-with-a-with-an/m-p/227330#M67148 somesoni2 2016-03-02T21:26:19Z