Splunk Search

How to use eval to change a field's value?

guillecasco
Path Finder

Is it possible with EVAL do the following? I have a field named version which brings the value like this:

Version
60101228
50201315

but I would like to change it for the following (and maintain the original)

Version
" 60101228 or 6.1.1228"
"50201315 or 5.2.1315"

Where a 0 (zero) is replaced for a dot (.). I need this because later I will need both values in a dynamic drop-down search in which values can appear in both ways.

Can eval do this? Maybe other function? thanks!

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

Try this

index=* usearch | rex "\"version\": \"(?\w*)\"" | dedup Version | eval version = replace(version,"0",".") | table Version

View solution in original post

nawazns5038
Builder

Regex: group name must start with a non-digit...

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...