Solved: Replace string to replace entire Message field wit...

priya0709 · ‎08-03-2020

My query searches for (Eventcode=509 OR EventCode=118) and generates output (host, Time, EventCode, Task category, Mesaage)

Is it possible to use REPLACE to replace entire message field with another message associated with the EventCode??

skoelpin · ‎08-03-2020

Use some conditional logic combined with an eval to get it done

| eval Message=if(Eventcode=509 OR EventCode=118,"Insert new message here",Message)

View solution in original post

priya0709 · ‎08-04-2020

My query searches for eventcode and displays (host, time, task category, message) i want to use some color to highlight all same hosts generating multiple eventcode??

please help with the query

skoelpin · ‎08-03-2020

Use some conditional logic combined with an eval to get it done

| eval Message=if(Eventcode=509 OR EventCode=118,"Insert new message here",Message)

priya0709 · ‎08-04-2020

thank you!!! This worked😊😊

skoelpin · ‎08-04-2020

If my solution worked, can you accept it rather than your own?

Replace string to replace entire Message field with another message for specific EventCode??

field extraction

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!