Splunk Search
Highlighted

Replace value of field A, when found in vlaue of field B

Contributor

I have events that contain multiple fields. For example

field1=john
field2=doe
field3=johndoeaccounting

What I would like to do is strip the "johndoe" from field3 so that I am left with only "accounting". For a single event with known field1 and field2 values, I could use ... | eval field3=replace(field3,"johndoe","") | ... but there is no way I can find to make the second parameter of the replace() function reference the value of another field. Any ideas?

Tags (2)
Highlighted

Re: Replace value of field A, when found in vlaue of field B

Path Finder

where did you get the definition of the replace() ?

the one I see has the following syntax

replace ( with )+ [in ]

for starters I would delimit the rhs of the k=v so that you could parse it out easier.

ie. field3=johndoe|accounting

thus you could split and use the second result as the replacement string

0 Karma
Highlighted

Re: Replace value of field A, when found in vlaue of field B

Contributor

I'm referring to the eval function replace(x, y, z), not the search command "replace". However, the search command "Replace" suffers from the same flaw in that it treats the parameters as literal strings, not as field references.

Unfortunately, I do not have control of the source of the data, and the log data I Splunk receives is already formatted as "field3=johndoeaccounting".

0 Karma
Highlighted

Re: Replace value of field A, when found in vlaue of field B

Motivator

I think, that this should work .... I just tried: index=internal | eval test=replace(host,host,"") this works on Splunk 4.3.3 and 5.0.1 you can get fancy doing things like index=internal | eval test=replace(replace(host,substr(host, 1, 2),""),substr(host, 3, 2),"") this kind of emulates what I think you are trying to do

Highlighted

Re: Replace value of field A, when found in vlaue of field B

Influencer

Like this :

* | head 1 | eval field1="john" | eval field2="doe" | eval field3="johndoeaccountingjohndoe"
| eval field3=replace(field3,"^".field1.field2,"") | table field1 field2 field3

The output is "accountingjohndoe" (because you only want to strip the field1+field2 from the start of the string

View solution in original post

Highlighted

Re: Replace value of field A, when found in vlaue of field B

Contributor

Very interesting... What you and chris suggested works for everything I try, except with my specific "field3". The errors I get when trying to use "field3" are what led me to believe the eval replace() function would not accept a field reference for the second parameter, but apparently it does. I'll have to look into what is up with my field3 that is causing the Splunk errors.

Marking your answer as accepted, as it is correct 99.9% of the time!

0 Karma