Splunk Search

SPL query to replace ALL values in a field with "Hello World"

Path Finder

I'm trying to write a simple query to replace all of the values in a field (let's call this field my_field) with a single value (like "Hello World").
According to the splunk docs on replace, this should be pretty simple but the following query I have right now isn't working:

index="my_index" | replace * WITH "Hello World" IN my_field

I've also tried an even simpler query to replace a specific value (let's call this value "Puppies") in my_field with "Hello World", but that's not working either:

index="my_index" | replace "Puppies" WITH "Hello World" IN my_field

I know I'm missing something obvious. Any ideas about what I can do?

0 Karma

Builder

Here is one way, using rex in sed mode

| makeresults | eval raw2=split("f1=123 f2=456,f1=234 f2=567",",")
| mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2
| rex mode=sed field=f1 "s/.*/Hello World/g"

No matter what values f1 has, they get replaced by Hello World.

_time                 f1             f2
2019-08-08 13:25:28 Hello World 456
2019-08-08 13:25:28 Hello World 567
0 Karma

Path Finder

@jpolvino thanks for this answer. Unfortunately it does not provide me with what I need. See below for explanation

0 Karma

Builder

If you want a static value, then how about just
| eval my_field="Hello world"
Or am I still missing something?

0 Karma

Path Finder

@jpolvino I've already tried something similar to what you provided:
index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g" but that didn't work for an unknown reason.

0 Karma

Path Finder

@jpolvino It looks like a can create a new field whose values are all "Hello World" but when I try to set my_field to new_field, it doesn't work, which boggles my mind b/c I've done very similar things before. Here's what I tried:

index="my_index" | eval new_field=replace(my_field, ".*", "Hello World") | eval my_field=new_field

For an unknown reason,my_field does not get updated with new_field's values 😞

0 Karma

Path Finder

EDIT: I've also tried index="my_index" | eval my_field=replace(my_field, *, "Hello World") but that didn't seem to work either

0 Karma

Path Finder

EDIT: I've also tried index="my_index" | rex mode=sed field=my_field "s/.*/Hello World/g" but had no luck with that

0 Karma

SplunkTrust
SplunkTrust

can you provide output of the query after which you want to change the values?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!