https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353153#M104532 <P>Any updates to the (search-time) extracted fields values would not update the _raw value. Those extracted fields are available independent of _raw. You would have to do the similar updates in _raw field explicitly for it to show updated field values. Please note that since, your _raw data can/will have other stuffs that might get updated un-wantedly, you will have to careful in defining the replace arguments.</P> Mon, 23 Apr 2018 20:21:34 GMT somesoni2 2018-04-23T20:21:34Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353151#M104530 <P>When I use <CODE>replace</CODE> to update a field, it is updated properly (in the interesting fields sidebar) but my search displays the _raw event with the original value. Ex.:</P> <PRE><CODE>search | replace "ABC" WITH "XYZ*" IN myfield </CODE></PRE> <P>I can use <CODE>table</CODE> but there are parts of the event that are not extracted which I'd like to see. How can I update _raw with the new value of myfield?</P> Mon, 23 Apr 2018 19:44:36 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353151#M104530 axelabs 2018-04-23T19:44:36Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353152#M104531 <P>Let's start with your actual end goal. It's possible to use SPL to "replace" the content of _raw, but if you are then going to route the results through a <CODE>table</CODE> command, there are definitely better ways to get to wherever you're going. Most likely, the best path will involve using a <CODE>rex</CODE> command to extract whatever data isn't currently being extracted, modifying it as needed, and then routing it into a table. Want to expand on the nature of your search and end goal?</P> Mon, 23 Apr 2018 20:16:13 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353152#M104531 elliotproebstel 2018-04-23T20:16:13Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353153#M104532 <P>Any updates to the (search-time) extracted fields values would not update the _raw value. Those extracted fields are available independent of _raw. You would have to do the similar updates in _raw field explicitly for it to show updated field values. Please note that since, your _raw data can/will have other stuffs that might get updated un-wantedly, you will have to careful in defining the replace arguments.</P> Mon, 23 Apr 2018 20:21:34 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353153#M104532 somesoni2 2018-04-23T20:21:34Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353154#M104533 <P>I'm avoiding the use of <STRONG>table</STRONG> as I'd have to build a bunch of extractions to show everything that _raw shows. One of my few extracted fields is sensitive and I do not want it showing in screenshots. It would be a nice feature to be able to do the above and just <EM>| rebuild(_raw)</EM> somehow.</P> Tue, 29 Sep 2020 19:10:33 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-update-raw-with-a-replaced-field-easily/m-p/353154#M104533 axelabs 2020-09-29T19:10:33Z