I have events that contain multiple fields. For example
field1=john
field2=doe
field3=johndoeaccounting
What I would like to do is strip the "johndoe" from field3 so that I am left with only "accounting". For a single event with known field1 and field2 values, I could use ... | eval field3=replace(field3,"johndoe","") | ...
but there is no way I can find to make the second parameter of the replace() function reference the value of another field. Any ideas?
Like this :
* | head 1 | eval field1="john" | eval field2="doe" | eval field3="johndoeaccountingjohndoe"
| eval field3=replace(field3,"^".field1.field2,"") | table field1 field2 field3
The output is "accountingjohndoe" (because you only want to strip the field1+field2 from the start of the string
Like this :
* | head 1 | eval field1="john" | eval field2="doe" | eval field3="johndoeaccountingjohndoe"
| eval field3=replace(field3,"^".field1.field2,"") | table field1 field2 field3
The output is "accountingjohndoe" (because you only want to strip the field1+field2 from the start of the string
Very interesting... What you and chris suggested works for everything I try, except with my specific "field3". The errors I get when trying to use "field3" are what led me to believe the eval replace() function would not accept a field reference for the second parameter, but apparently it does. I'll have to look into what is up with my field3 that is causing the Splunk errors.
Marking your answer as accepted, as it is correct 99.9% of the time!
I think, that this should work .... I just tried: index=_internal | eval test=replace(host,host,"") this works on Splunk 4.3.3 and 5.0.1 you can get fancy doing things like index=_internal | eval test=replace(replace(host,substr(host, 1, 2),""),substr(host, 3, 2),"") this kind of emulates what I think you are trying to do
I'm referring to the eval function replace(x, y, z), not the search command "replace". However, the search command "Replace" suffers from the same flaw in that it treats the parameters as literal strings, not as field references.
Unfortunately, I do not have control of the source of the data, and the log data I Splunk receives is already formatted as "field3=johndoeaccounting".
where did you get the definition of the replace() ?
the one I see has the following syntax
replace (
for starters I would delimit the rhs of the k=v so that you could parse it out easier.
ie. field3=johndoe|accounting
thus you could split and use the second result as the replacement string