Splunk Search

How to replace multiple column/field names with a `(` with an `_` underscore

HattrickNZ
Motivator

I have a search that gives me a number of columns in the stats field.

max(col1) max(col2) ...
1 2
...

Can I replace the brackets in the column/field names with underscore?

max_col1_ max_col2_ ...
1 2
...

I have looked at replace but that seems to work on the values in the field as opposed to the fieldname.
I am looking for a generic way to do it as apposed to go through each field.

0 Karma

somesoni2
Revered Legend

You can use the rename command with wildcard.

your current search giving column names max(col1) max(col2)... etc | rename max(*) as max_*
0 Karma

somesoni2
Revered Legend

@MuS's solution is what the most optimum and recommended one (get the correct column name while generating columns).

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi HattrickNZ,

in your stats command you can provide names for the result:

 your base search here | stats max(col1) AS max_col1 max(col2) AS max_col2  

Hope this helps ...

cheers, MuS

HattrickNZ
Motivator

tks Mus, sorry should have said, was looking for a more generic way. I am familliar with that method.

0 Karma

MuS
SplunkTrust
SplunkTrust

I reckon you should rephrase your question in this case; so we understand what you're looking for and also provide your search string.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!