Solved: Why isn't my replace command working in this searc... - Splunk Community

Splunk Search

index=test TransactionId="xxx-xxx-xxx"|  replace "000" with "" in Status| fields Status

I want to replace the first occurrence of "000" in status to blank.This is the command I wrote after referring to Splunk Documentation. However, the results don't show me the modified value of Status. Is there something missing in the command?

My end result should be the value of Status with "000" replaced.

Thanks for your help

1 Solution

Solution

try this

index=test | eval TransactionId="xxx-xxx-xxx" | replace *000* with ** in Status

View solution in original post

Solution

try this

index=test | eval TransactionId="xxx-xxx-xxx" | replace *000* with ** in Status

Try like this

 index=test TransactionId="xxx-xxx-xxx"| eval Status=replace(Status,"^000(.+)","\1") | fields Status

try a regex command:

|rex field=Status mode=sed "s/000//g"

Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...