Splunk Search

Is it possible to update _raw with a replaced field easily?

Explorer

When I use replace to update a field, it is updated properly (in the interesting fields sidebar) but my search displays the _raw event with the original value. Ex.:

search | replace "ABC" WITH "XYZ*" IN myfield

I can use table but there are parts of the event that are not extracted which I'd like to see. How can I update _raw with the new value of myfield?

0 Karma

SplunkTrust
SplunkTrust

Any updates to the (search-time) extracted fields values would not update the _raw value. Those extracted fields are available independent of _raw. You would have to do the similar updates in _raw field explicitly for it to show updated field values. Please note that since, your _raw data can/will have other stuffs that might get updated un-wantedly, you will have to careful in defining the replace arguments.

0 Karma

Let's start with your actual end goal. It's possible to use SPL to "replace" the content of _raw, but if you are then going to route the results through a table command, there are definitely better ways to get to wherever you're going. Most likely, the best path will involve using a rex command to extract whatever data isn't currently being extracted, modifying it as needed, and then routing it into a table. Want to expand on the nature of your search and end goal?

0 Karma

Explorer

I'm avoiding the use of table as I'd have to build a bunch of extractions to show everything that raw shows. One of my few extracted fields is sensitive and I do not want it showing in screenshots. It would be a nice feature to be able to do the above and just *| rebuild(raw)* somehow.

0 Karma