Solved: Replace string to replace entire Message field wit...

priya0709 · ‎08-03-2020

My query searches for (Eventcode=509 OR EventCode=118) and generates output (host, Time, EventCode, Task category, Mesaage)

Is it possible to use REPLACE to replace entire message field with another message associated with the EventCode??

skoelpin · ‎08-03-2020

Use some conditional logic combined with an eval to get it done

| eval Message=if(Eventcode=509 OR EventCode=118,"Insert new message here",Message)

View solution in original post

priya0709 · ‎08-04-2020

My query searches for eventcode and displays (host, time, task category, message) i want to use some color to highlight all same hosts generating multiple eventcode??

please help with the query

skoelpin · ‎08-03-2020

Use some conditional logic combined with an eval to get it done

| eval Message=if(Eventcode=509 OR EventCode=118,"Insert new message here",Message)

priya0709 · ‎08-04-2020

thank you!!! This worked😊😊

skoelpin · ‎08-04-2020

If my solution worked, can you accept it rather than your own?

Replace string to replace entire Message field with another message for specific EventCode??

field extraction

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Replace string to replace entire Message field with another message for specific EventCode??

field extraction

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk