https://community.splunk.com/t5/Splunk-Search/Substituting-key-values-on-raw-text/m-p/583307#M203116 <P>Assuming you're running this during search time.</P><P>&nbsp;</P><P>Quick and dirty:</P><P>&nbsp;</P><LI-CODE lang="markup">| eval _raw="Accepted public key for user ".user." from ".src_ip</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Dynamic:</P><P>&nbsp;</P><LI-CODE lang="markup">| foreach user src_ip [eval _raw=replace(_raw, "\$&lt;&lt;FIELD&gt;&gt;\$", '&lt;&lt;FIELD&gt;&gt;')]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 02 Feb 2022 02:10:25 GMT johnhuang 2022-02-02T02:10:25Z https://community.splunk.com/t5/Splunk-Search/Substituting-key-values-on-raw-text/m-p/583304#M203115 <P>Let's say I have a CSV input with the following columns:&nbsp; _raw,user,src_ip<BR /><BR />The _raw event is:&nbsp; "Accepted public key for user $user$ from $src_ip$"<BR /><BR />Is there a way to replace $user$ and $src_ip$ in _raw with the values of the corresponding fields?<BR /><BR />I tried using "foreach" and "rex" in sedcmd mode, but it doesn't look like rex understands &lt;&lt;FIELD&gt;&gt; and '&lt;&lt;FIELD&gt;&gt;'.&nbsp;&nbsp;<BR /><BR />Is there another way to do this?</P> Wed, 02 Feb 2022 00:22:30 GMT https://community.splunk.com/t5/Splunk-Search/Substituting-key-values-on-raw-text/m-p/583304#M203115 responsys_cm 2022-02-02T00:22:30Z https://community.splunk.com/t5/Splunk-Search/Substituting-key-values-on-raw-text/m-p/583307#M203116 <P>Assuming you're running this during search time.</P><P>&nbsp;</P><P>Quick and dirty:</P><P>&nbsp;</P><LI-CODE lang="markup">| eval _raw="Accepted public key for user ".user." from ".src_ip</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Dynamic:</P><P>&nbsp;</P><LI-CODE lang="markup">| foreach user src_ip [eval _raw=replace(_raw, "\$&lt;&lt;FIELD&gt;&gt;\$", '&lt;&lt;FIELD&gt;&gt;')]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 02 Feb 2022 02:10:25 GMT https://community.splunk.com/t5/Splunk-Search/Substituting-key-values-on-raw-text/m-p/583307#M203116 johnhuang 2022-02-02T02:10:25Z