topic Re: Can we replace certain value in field ?? in Splunk Search

Can we replace certain value in field ??

rakesh_498115 — Thu, 13 Dec 2012 12:35:47 GMT

Hi ,

I have a field called UniqueID which contains the following values..like A,B,C,D etc..Now For this field i want to replace D as 5 . how can i do it ??

ie. i need like

UniqueID
A
B
C
5

Please help

Re: Can we replace certain value in field ??

MuS — Thu, 13 Dec 2012 12:50:21 GMT

Hi rakesh

looks like you're lost somewhere in splunk universe; on 24. Oct this years you asked the same http://splunk-base.splunk.com/answers/63109/can-i-replace-the-_raw-data-with-my-own-data and Ayn answered correct.

So, just use the force and you'll be happy 🙂

cheers,

MuS

Re: Can we replace certain value in field ??

rakesh_498115 — Thu, 13 Dec 2012 13:28:15 GMT

Yeah Actually i have asekd about the data inside the field this time ?? i dnt want to change entire data ..only the Data "D" i want to change ..can you pls help on that .

Re: Can we replace certain value in field ??

MuS — Thu, 13 Dec 2012 13:34:57 GMT

this is exactly the same approach or you try

... | rex mode=sed field= "s/#\d+//"

Re: Can we replace certain value in field ??

martin_mueller — Thu, 13 Dec 2012 13:57:13 GMT

Crudely, you could replace certain field values like so:

... | eval UniqueID = if(UniqueID="D",5,UniqueID) | ...

If the set of replacements grows larger you could set up a lookup table of original and replaced values.

Re: Can we replace certain value in field ??

rakesh_498115 — Thu, 13 Dec 2012 18:43:08 GMT

Yeah martin..this worked for me..thnx 🙂

Re: Can we replace certain value in field ??

martin_mueller — Fri, 14 Dec 2012 08:28:01 GMT

Same thing?

... | eval field1 = if(field2=field3,field4,field5) | ...

Just insert fields as you like.

Re: Can we replace certain value in field ??

Ayn — Fri, 14 Dec 2012 09:44:39 GMT

Two things:

You're not enclosing "yes" and "no" in quotes, so you're telling Splunk to use the values of the FIELDS "yes" and "no", not the actual strings.
Why are you using multiple usernames? This confuses and annoys people.

Re: Can we replace certain value in field ??

MuS — Fri, 14 Dec 2012 10:24:56 GMT

go vote for this request 😉

http://splunk-base.splunk.com/answers/63129/splunkbase-feature-request

Re: Can we replace certain value in field ??

watsm10 — Fri, 14 Dec 2012 11:49:25 GMT

You could also make use of an automatic lookup table. So have a csv file with the following:

UniqueID,Output

A,A

B,B

C,C

D,5

Splunk will find the UniqueID and rename it to whatever is in the "Output" column.
So you can totally rename any field you like.

There's a tutorial here: http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents
to walk you through automatic lookups.

I've only recently started using them, but they save a lot of hassle and shortens search strings drastically.

If you need any help, just ask. 🙂

Re: Can we replace certain value in field ??

Ayn — Fri, 14 Dec 2012 12:41:50 GMT

I've no idea about what you're talking about now. The original question was regarding how to exchange one value in an event for another. What you're trying to transform it to now, I do not understand.

Re: Can we replace certain value in field ??

Drainy — Fri, 14 Dec 2012 12:57:12 GMT

You're now handling MV fields? when did they slip into the equation? You might want to start another question... Also, I second Ayn's question about why you use so many usernames on here... every so often I get an email that one user has commented, then you delete it and post as another user?