Splunk Search

Can we replace certain value in field ??

rakesh_498115
Motivator

Hi ,

I have a field called UniqueID which contains the following values..like A,B,C,D etc..Now For this field i want to replace D as 5 . how can i do it ??

ie. i need like

UniqueID
A
B
C
5

Please help

Tags (1)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Crudely, you could replace certain field values like so:

... | eval UniqueID = if(UniqueID="D",5,UniqueID) | ...

If the set of replacements grows larger you could set up a lookup table of original and replaced values.

View solution in original post

watsm10
Communicator

You could also make use of an automatic lookup table. So have a csv file with the following:

UniqueID,Output
A,A
B,B
C,C
D,5

Splunk will find the UniqueID and rename it to whatever is in the "Output" column.
So you can totally rename any field you like.

There's a tutorial here: http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Usefieldlookupstoaddinformationtoyourevent...
to walk you through automatic lookups.

I've only recently started using them, but they save a lot of hassle and shortens search strings drastically.

If you need any help, just ask. 🙂

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Crudely, you could replace certain field values like so:

... | eval UniqueID = if(UniqueID="D",5,UniqueID) | ...

If the set of replacements grows larger you could set up a lookup table of original and replaced values.

Drainy
Champion

You're now handling MV fields? when did they slip into the equation? You might want to start another question... Also, I second Ayn's question about why you use so many usernames on here... every so often I get an email that one user has commented, then you delete it and post as another user?

0 Karma

Ayn
Legend

I've no idea about what you're talking about now. The original question was regarding how to exchange one value in an event for another. What you're trying to transform it to now, I do not understand.

0 Karma

MuS
SplunkTrust
SplunkTrust
0 Karma

Ayn
Legend

Two things:

  1. You're not enclosing "yes" and "no" in quotes, so you're telling Splunk to use the values of the FIELDS "yes" and "no", not the actual strings.
  2. Why are you using multiple usernames? This confuses and annoys people.

martin_mueller
SplunkTrust
SplunkTrust

Same thing?

... | eval field1 = if(field2=field3,field4,field5) | ...

Just insert fields as you like.

0 Karma

rakesh_498115
Motivator

Yeah martin..this worked for me..thnx 🙂

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi rakesh

looks like you're lost somewhere in splunk universe; on 24. Oct this years you asked the same http://splunk-base.splunk.com/answers/63109/can-i-replace-the-_raw-data-with-my-own-data and Ayn answered correct.

So, just use the force and you'll be happy 🙂

cheers,

MuS

MuS
SplunkTrust
SplunkTrust

this is exactly the same approach or you try

... | rex mode=sed field= "s/#\d+//"

0 Karma

rakesh_498115
Motivator

Yeah Actually i have asekd about the data inside the field this time ?? i dnt want to change entire data ..only the Data "D" i want to change ..can you pls help on that .

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>