Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set all column names to capital letters

DavidHourani
Super Champion
‎12-02-2016 03:07 AM

Hello dear Splunkers,

Any idea how to set column names to uppercase/capital letters?
I'm not talking about all the data in the data set, just the column names. I have a table with 10 column and 10000 events and would like to have the column names in capital letters.
Also I don't want to have to go through 10 renames, I'm looking for an automatic way to set them all to capital letters in case i add extra columns.

Regards,
David

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎12-02-2016 05:23 AM

I think having a command with explicit renames is honestly your best bet performance wise... Using an eval trick I learned from @alacercogitatus I came up with:

... |  foreach * [eval temp=upper("<<FIELD>>"), {temp}='<<FIELD>>'| fields - "<<FIELD>>" temp ]

However it too seems to scale terribly with lots of results, taking longer than the base search for merely a few thousand results due to the number of executions it has to make versus a single explicit rename command listing all fields

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎12-02-2016 05:23 AM

I think having a command with explicit renames is honestly your best bet performance wise... Using an eval trick I learned from @alacercogitatus I came up with:

... |  foreach * [eval temp=upper("<<FIELD>>"), {temp}='<<FIELD>>'| fields - "<<FIELD>>" temp ]

However it too seems to scale terribly with lots of results, taking longer than the base search for merely a few thousand results due to the number of executions it has to make versus a single explicit rename command listing all fields

Reply
Solved! Jump to solution

rjthibod
Champion
‎12-02-2016 03:50 AM

I don't think there is a shortcut to doing this without using rename many times. I do not think you can use fieldformat and foreach directly. There may be some roundabout way using appendpipe to generate a list of new field names and then renaming the old names, but that seems a bit much.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-02-2016 04:38 AM

I was thinking about something with a transpose -> eval upper -> transpose... But it doesnt seem to work with a lot of rows..

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎12-02-2016 05:10 AM

Correct, there is a limit on transpose.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...