Splunk Search

How to rename column and row labels after using transpose?

packet_hunter
Contributor

Hi All,
I am having no luck renaming "column" and "row1, row2,..." successfully to "fields" and "event 1, event 2, event3, ...."
I can | rename column as fields, but no luck with the rows.

Please advise how to rename the column to fields and rows to events, row1>event1.

Thank you

1 Solution

sundareshr
Legend

For row values, you have to use replace not rename. Try this replace "column 1" WITH "somevalue" IN column

View solution in original post

jbjerke_splunk
Splunk Employee
Splunk Employee

The right way to do this is to use the header_field option for the transpose command

| transpose header_field=Key

sundareshr
Legend

For row values, you have to use replace not rename. Try this replace "column 1" WITH "somevalue" IN column

kmarion1993
New Member

One option is to use the foreach command

... | foreach "row "* [ rename "row "<<MATCHSTR>> AS ROW<<MATCHSTR>> ]

 

Tags (3)
0 Karma

packet_hunter
Contributor

Thank you for the reply. I may have a miscommunication. I actually just want to rename the column and row labels, not necessarily use Splunk fields.

....| transpose | rename column as Details, "row 1" as 1

so I would like to auto-rename the row 1, row 2, row 3, to just be 1, 2, 3 (dropping the word row)
Is that possible?

I guess the answer is YES, just needed

| transpose | rename column as Details, row* as *

0 Karma

sundareshr
Legend

You mean like this?

| transpose | rename column AS Details "row "* AS *

astackpole
Path Finder

Hello!

I'm in a similar situation now and this works great but I was wondering if there's a way to individually rename each column?  The 'not working' way would look like this:

... | rename row1 AS "Column 1", row2 AS "Scan Logs", row3 AS "etc."

Help on this would be greatly appreciated!

0 Karma

nmsaraujo
Explorer

You need to use:

... | rename "row 1" as "This is Column 1",  "row 2" as  "This is Column 2", etc

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...