Splunk Search

Splunk search- How to capitalize the first letter of every filed column?

uagraw01
Builder

Hello Splunkers !!

As per the below screenshot I want to capitalise the first letter of every filed column.So for the same I have tried above work around which are in commented. Please suggest me how can I Capitalise first letter of every field name.

IMG_20220915_195909__01.jpg

Labels (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@uagraw01 - Here is how you can do that without explicitly specifying the field name. It applies to all the present fields.

| foreach * [
| eval field_<<FIELD>> = "<<FIELD>>"
| eval field_<<FIELD>> = upper(substr(field_<<FIELD>>,1,1)).substr(field_<<FIELD>>,2)
| eval {field_<<FIELD>>} = <<FIELD>>
| fields - field_<<FIELD>>, <<FIELD>>]

 

Here is full example:

| makeresults | eval vulnerabilities=10, groups=2
| append [| makeresults | eval vulnerabilities=9, groups=4]
| foreach * [
| eval field_<<FIELD>> = "<<FIELD>>"
| eval field_<<FIELD>> = upper(substr(field_<<FIELD>>,1,1)).substr(field_<<FIELD>>,2)
| eval {field_<<FIELD>>} = <<FIELD>>
| fields - field_<<FIELD>>, <<FIELD>>]

VatsalJagani_0-1663304487485.png

 

I hope this helps!!! Please upvote & accept the answer if it answers your question!!!

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

@uagraw01 - In your search, it seems the easiest option to do that is to just write field names the way you want in the stats command itself. Like,

| stats dc(falcon.vul.cve.id) as Vulnerabilities, dc(host.info.id) as Groups .....

 

I hope this helps!!!

uagraw01
Builder

@VatsalJagani Thank you vatsal for your response. 

 

Just for my knowledge can you help me, how can I achieve this by using eval function?

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@uagraw01 - Here is how you can do that without explicitly specifying the field name. It applies to all the present fields.

| foreach * [
| eval field_<<FIELD>> = "<<FIELD>>"
| eval field_<<FIELD>> = upper(substr(field_<<FIELD>>,1,1)).substr(field_<<FIELD>>,2)
| eval {field_<<FIELD>>} = <<FIELD>>
| fields - field_<<FIELD>>, <<FIELD>>]

 

Here is full example:

| makeresults | eval vulnerabilities=10, groups=2
| append [| makeresults | eval vulnerabilities=9, groups=4]
| foreach * [
| eval field_<<FIELD>> = "<<FIELD>>"
| eval field_<<FIELD>> = upper(substr(field_<<FIELD>>,1,1)).substr(field_<<FIELD>>,2)
| eval {field_<<FIELD>>} = <<FIELD>>
| fields - field_<<FIELD>>, <<FIELD>>]

VatsalJagani_0-1663304487485.png

 

I hope this helps!!! Please upvote & accept the answer if it answers your question!!!

uagraw01
Builder

@VatsalJagani Thanks for your response.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@uagraw01 - If it answers your question, please mark it as an accepted answer by clicking on "Accept as Solution".

0 Karma

uagraw01
Builder

Please provide me any suggestion on the below post.

 

As per below example like First letter should be in Capital.

Current "vulnablities ", groups

expection : "Vulnablities" , "Groups"

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...