https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440875#M125290 <P>EDIT: I've also tried <CODE>index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g"</CODE> but had no luck with that</P> Thu, 08 Aug 2019 17:07:38 GMT brinley 2019-08-08T17:07:38Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440873#M125288 <P>I'm trying to write a simple query to replace <EM>all</EM> of the values in a field (let's call this field <CODE>my_field</CODE>) with a single value (like <CODE>"Hello World"</CODE>).<BR /> According to the splunk docs on <CODE>replace</CODE>, this should be pretty simple but the following query I have right now isn't working:</P> <P><CODE>index="my_index" | replace * WITH "Hello World" IN my_field</CODE></P> <P>I've also tried an even simpler query to replace a specific value (let's call this value <CODE>"Puppies"</CODE>) in <CODE>my_field</CODE> with <CODE>"Hello World"</CODE>, but that's not working either:</P> <P><CODE>index="my_index" | replace "Puppies" WITH "Hello World" IN my_field</CODE></P> <P>I know I'm missing something obvious. Any ideas about what I can do? </P> Thu, 08 Aug 2019 16:35:38 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440873#M125288 brinley 2019-08-08T16:35:38Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440874#M125289 <P>EDIT: I've also tried <CODE>index="my_index" | eval my_field=replace(my_field, *, "Hello World")</CODE> but that didn't seem to work either</P> Thu, 08 Aug 2019 16:57:30 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440874#M125289 brinley 2019-08-08T16:57:30Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440875#M125290 <P>EDIT: I've also tried <CODE>index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g"</CODE> but had no luck with that</P> Thu, 08 Aug 2019 17:07:38 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440875#M125290 brinley 2019-08-08T17:07:38Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440876#M125291 <P>Here is one way, using rex in sed mode</P> <PRE><CODE>| makeresults | eval raw2=split("f1=123 f2=456,f1=234 f2=567",",") | mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2 | rex mode=sed field=f1 "s/.*/Hello World/g" </CODE></PRE> <P>No matter what values f1 has, they get replaced by Hello World.</P> <PRE><CODE>_time f1 f2 2019-08-08 13:25:28 Hello World 456 2019-08-08 13:25:28 Hello World 567 </CODE></PRE> Thu, 08 Aug 2019 17:26:12 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440876#M125291 jpolvino 2019-08-08T17:26:12Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440877#M125292 <P>can you provide output of the query after which you want to change the values? </P> Thu, 08 Aug 2019 17:32:51 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440877#M125292 mayurr98 2019-08-08T17:32:51Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440878#M125293 <P>@jpolvino thanks for this answer. Unfortunately it does not provide me with what I need. See below for explanation</P> Thu, 08 Aug 2019 17:37:37 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440878#M125293 brinley 2019-08-08T17:37:37Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440879#M125294 <P>@jpolvino I've already tried something similar to what you provided: <BR /> <CODE>index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g"</CODE> but that didn't work for an unknown reason.</P> Thu, 08 Aug 2019 17:38:56 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440879#M125294 brinley 2019-08-08T17:38:56Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440880#M125295 <P>If you want a static value, then how about just<BR /> | eval my_field="Hello world"<BR /> Or am I still missing something?</P> Thu, 08 Aug 2019 17:41:26 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440880#M125295 jpolvino 2019-08-08T17:41:26Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440881#M125296 <P>@jpolvino It looks like a can create a new field whose values are all "Hello World" but when I try to set <CODE>my_field</CODE> to <CODE>new_field</CODE>, it doesn't work, which boggles my mind b/c I've done very similar things before. Here's what I tried: </P> <P><CODE>index="my_index" | eval new_field=replace(my_field, ".*", "Hello World") | eval my_field=new_field</CODE></P> <P>For an unknown reason,<CODE>my_field</CODE> does not get updated with <CODE>new_field</CODE>'s values <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 08 Aug 2019 17:42:06 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-replace-ALL-values-in-a-field-with-quot-Hello-World/m-p/440881#M125296 brinley 2019-08-08T17:42:06Z