- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Replace value of field A, when found in vlaue ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have events that contain multiple fields. For example
field1=john
field2=doe
field3=johndoeaccounting
What I would like to do is strip the "johndoe" from field3 so that I am left with only "accounting". For a single event with known field1 and field2 values, I could use ... | eval field3=replace(field3,"johndoe","") | ... but there is no way I can find to make the second parameter of the replace() function reference the value of another field. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this :
* | head 1 | eval field1="john" | eval field2="doe" | eval field3="johndoeaccountingjohndoe"
| eval field3=replace(field3,"^".field1.field2,"") | table field1 field2 field3
The output is "accountingjohndoe" (because you only want to strip the field1+field2 from the start of the string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this :
* | head 1 | eval field1="john" | eval field2="doe" | eval field3="johndoeaccountingjohndoe"
| eval field3=replace(field3,"^".field1.field2,"") | table field1 field2 field3
The output is "accountingjohndoe" (because you only want to strip the field1+field2 from the start of the string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very interesting... What you and chris suggested works for everything I try, except with my specific "field3". The errors I get when trying to use "field3" are what led me to believe the eval replace() function would not accept a field reference for the second parameter, but apparently it does. I'll have to look into what is up with my field3 that is causing the Splunk errors.
Marking your answer as accepted, as it is correct 99.9% of the time!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think, that this should work .... I just tried: index=_internal | eval test=replace(host,host,"") this works on Splunk 4.3.3 and 5.0.1 you can get fancy doing things like index=_internal | eval test=replace(replace(host,substr(host, 1, 2),""),substr(host, 3, 2),"") this kind of emulates what I think you are trying to do
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm referring to the eval function replace(x, y, z), not the search command "replace". However, the search command "Replace" suffers from the same flaw in that it treats the parameters as literal strings, not as field references.
Unfortunately, I do not have control of the source of the data, and the log data I Splunk receives is already formatted as "field3=johndoeaccounting".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where did you get the definition of the replace() ?
the one I see has the following syntax
replace (
for starters I would delimit the rhs of the k=v so that you could parse it out easier.
ie. field3=johndoe|accounting
thus you could split and use the second result as the replacement string
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
