How to rename multiple field names with certain cr... - Splunk Community

Splunk Search

How do I replace the MB in each field name with GB ??

_time   XXX-XX-MB   XXX-XXX-MB  XXXXXXMB_XX_XXX
1   2017-07-30 11:00    1391.67548628852    1381.60821617188    1274.532780647
2   2017-07-30 12:00    1509.29349191985    1503.65362613860    1373.894662857

So my result would look like this:

_time   XXX-XX-GB   XXX-XXX-GB  XXXXXXGB_XX_XXX
1   2017-07-30 11:00    1391.67548628852    1381.60821617188    1274.532780647
2   2017-07-30 12:00    1509.29349191985    1503.65362613860    1373.894662857

I can already change all the field values with this command and was thinking I could do something similar with the field names.
foreach * [eval <<FIELD>>='<<FIELD>>'/1024] |

try this!

(your search)|rename *_mb* as *_gb*|foreach *_gb* [eval <<FIELD>>='<<FIELD>>'/1024]

Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community, We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...