- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to set all column names to capital letters
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello dear Splunkers,
Any idea how to set column names to uppercase/capital letters?
I'm not talking about all the data in the data set, just the column names. I have a table with 10 column and 10000 events and would like to have the column names in capital letters.
Also I don't want to have to go through 10 renames, I'm looking for an automatic way to set them all to capital letters in case i add extra columns.
Regards,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think having a command with explicit renames is honestly your best bet performance wise... Using an eval trick I learned from @alacercogitatus I came up with:
... | foreach * [eval temp=upper("<<FIELD>>"), {temp}='<<FIELD>>'| fields - "<<FIELD>>" temp ]
However it too seems to scale terribly with lots of results, taking longer than the base search for merely a few thousand results due to the number of executions it has to make versus a single explicit rename command listing all fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think having a command with explicit renames is honestly your best bet performance wise... Using an eval trick I learned from @alacercogitatus I came up with:
... | foreach * [eval temp=upper("<<FIELD>>"), {temp}='<<FIELD>>'| fields - "<<FIELD>>" temp ]
However it too seems to scale terribly with lots of results, taking longer than the base search for merely a few thousand results due to the number of executions it has to make versus a single explicit rename command listing all fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think there is a shortcut to doing this without using rename many times. I do not think you can use fieldformat and foreach directly. There may be some roundabout way using appendpipe to generate a list of new field names and then renaming the old names, but that seems a bit much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was thinking about something with a transpose -> eval upper -> transpose... But it doesnt seem to work with a lot of rows..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, there is a limit on transpose.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
