Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to replace a status with a new value?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have search I'm running to change the status of a particular error that is a false negative:
index=wertyu sourcetype=audit "No valid format *"
| eval status = if(other=="No valid format*","SUCCESS",status)
| stats count latest(status) as status, latest(other) as other by FOO
I'm still seeing FAILED as the status rather than success, and am not quite sure what's wrong here.
Any insights would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure why you're testing to see if "No valid format" is present when you've told Splunk to only return events with that text.
That said, try this.
... | eval status = if(match(other,"No valid format%"),"SUCCESS",status) | ...
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure why you're testing to see if "No valid format" is present when you've told Splunk to only return events with that text.
That said, try this.
... | eval status = if(match(other,"No valid format%"),"SUCCESS",status) | ...
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes! This worked:
index=wertyu sourcetype=audit "No valid format*" earliest=-5d
| eval status = if(match(other,"No valid format\.*"),"SUCCESS",status)
| stats count latest(status) as status, latest(other) as other by FOO
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to hear it. Please accept the answer.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure thing - here is a friendly sample of the log file:
2015-11-04T13:20:34.319 -0500,1,{host=host},{BP|InvoiceAudit|STATUS ,[CODE]::No valid format for FOO.-
We use extractions before parsing the data, so any string in that placement is stored in the other field.
Also, we know it works since I am able to populate the results in the searches above. The weird thing here is that the status isn't changing.
Any thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I confused the match syntax with the like syntax. One of these should work for you.
... | eval status = if(like(other,"No valid format%"),"SUCCESS",status) | ...
or
... | eval status = if(match(other,"No valid format\.*"),"SUCCESS",status) | ...
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - I am testing to make sure that the search results are accurate before broadening the scope of the search. Why not test this on data I know should give me what I would expect first?
Unfortunately, I am still seeing FAILED as status rather than SUCCESS:
index=wertyu sourcetype=audit "No valid format*"
| stats count latest(status) as status, latest(other) as other by FOO
| eval status = if(match(other,"No valid format%"),"SUCCESS",status)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we see a sample of your data? Have you verified the other field contains the target text?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
No valid format * is different from No valid format* (there is no blank between the t and *).
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - this did not make a difference in the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will not make a different as long as a non-word character is trailing. Those are caught as punctuations. But remember, you might not notice that its no difference, but the result set could be different.
For example:
"no valid format" will match results that contain the string "no valid format/" but not "no valid format ".
Make sense?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
