- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPL query to replace ALL values in a field with "Hello World"
I'm trying to write a simple query to replace all of the values in a field (let's call this field my_field) with a single value (like "Hello World").
According to the splunk docs on replace, this should be pretty simple but the following query I have right now isn't working:
index="my_index" | replace * WITH "Hello World" IN my_field
I've also tried an even simpler query to replace a specific value (let's call this value "Puppies") in my_field with "Hello World", but that's not working either:
index="my_index" | replace "Puppies" WITH "Hello World" IN my_field
I know I'm missing something obvious. Any ideas about what I can do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is one way, using rex in sed mode
| makeresults | eval raw2=split("f1=123 f2=456,f1=234 f2=567",",")
| mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2
| rex mode=sed field=f1 "s/.*/Hello World/g"
No matter what values f1 has, they get replaced by Hello World.
_time f1 f2
2019-08-08 13:25:28 Hello World 456
2019-08-08 13:25:28 Hello World 567
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jpolvino thanks for this answer. Unfortunately it does not provide me with what I need. See below for explanation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want a static value, then how about just
| eval my_field="Hello world"
Or am I still missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jpolvino I've already tried something similar to what you provided:
index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g" but that didn't work for an unknown reason.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jpolvino It looks like a can create a new field whose values are all "Hello World" but when I try to set my_field to new_field, it doesn't work, which boggles my mind b/c I've done very similar things before. Here's what I tried:
index="my_index" | eval new_field=replace(my_field, ".*", "Hello World") | eval my_field=new_field
For an unknown reason,my_field does not get updated with new_field's values 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EDIT: I've also tried index="my_index" | eval my_field=replace(my_field, *, "Hello World") but that didn't seem to work either
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EDIT: I've also tried index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g" but had no luck with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide output of the query after which you want to change the values?
