- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: SPL query to replace ALL values in a field wit...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPL query to replace ALL values in a field with "Hello World"
I'm trying to write a simple query to replace all of the values in a field (let's call this field my_field) with a single value (like "Hello World").
According to the splunk docs on replace, this should be pretty simple but the following query I have right now isn't working:
index="my_index" | replace * WITH "Hello World" IN my_field
I've also tried an even simpler query to replace a specific value (let's call this value "Puppies") in my_field with "Hello World", but that's not working either:
index="my_index" | replace "Puppies" WITH "Hello World" IN my_field
I know I'm missing something obvious. Any ideas about what I can do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is one way, using rex in sed mode
| makeresults | eval raw2=split("f1=123 f2=456,f1=234 f2=567",",")
| mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2
| rex mode=sed field=f1 "s/.*/Hello World/g"
No matter what values f1 has, they get replaced by Hello World.
_time f1 f2
2019-08-08 13:25:28 Hello World 456
2019-08-08 13:25:28 Hello World 567
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jpolvino thanks for this answer. Unfortunately it does not provide me with what I need. See below for explanation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want a static value, then how about just
| eval my_field="Hello world"
Or am I still missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jpolvino I've already tried something similar to what you provided:
index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g" but that didn't work for an unknown reason.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jpolvino It looks like a can create a new field whose values are all "Hello World" but when I try to set my_field to new_field, it doesn't work, which boggles my mind b/c I've done very similar things before. Here's what I tried:
index="my_index" | eval new_field=replace(my_field, ".*", "Hello World") | eval my_field=new_field
For an unknown reason,my_field does not get updated with new_field's values 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EDIT: I've also tried index="my_index" | eval my_field=replace(my_field, *, "Hello World") but that didn't seem to work either
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EDIT: I've also tried index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g" but had no luck with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide output of the query after which you want to change the values?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
