Solved: How can I iterate through all the column names and...

HattrickNZ · ‎05-03-2018

How can I iterate through all the column names and replace space with underscore and replace :(colon space) with an underscore?

MY Search:

   | makeresults 
     | eval data = "
        1    2017-12    A    155749    131033    84.1;
        2    2017-12    B    24869    23627    95;
        3    2017-12    C    117618    117185    99.6" 
     | makemv delim=";" data 
     | mvexpand data 
     | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)" 
     | fields + date serial type attempts successfullAttempts sr 
     | rename date as _time 
     | search serial=* 
     | eval "success full: Attempts"=5
     | eval "success full: Attempts2"=6

My OUTPUT:

    _time   serial  type    attempts    successfullAttempts sr  success full: Attempts  success full: Attempts2
1   2017-12 1   A   155749  131033  84  5   6
2   2017-12 2   B   24869   23627   95  5   6
3   2017-12 3   C   117618  117185  99  5   6

Adding this to my search gives me what I want, but I am looking at being able to iterate as opposed to do it verbose.

 | rename "success full: Attempts" as success_full_Attempts
 | rename "success full: Attempts2" as success_full_Attempts2

related Q here

FrankVl · ‎05-04-2018

Add this:

  | rename "*: *" AS *_*
  | rename "* *" AS *_*

View solution in original post

FrankVl · ‎05-04-2018

Add this:

  | rename "*: *" AS *_*
  | rename "* *" AS *_*

How can I iterate through all the column names and replace characters in the their names?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...