Solved: Why isn't my replace command working in this searc... - Splunk Community

Splunk Search

index=test TransactionId="xxx-xxx-xxx"|  replace "000" with "" in Status| fields Status

I want to replace the first occurrence of "000" in status to blank.This is the command I wrote after referring to Splunk Documentation. However, the results don't show me the modified value of Status. Is there something missing in the command?

My end result should be the value of Status with "000" replaced.

Thanks for your help

1 Solution

Solution

try this

index=test | eval TransactionId="xxx-xxx-xxx" | replace *000* with ** in Status

View solution in original post

Solution

try this

index=test | eval TransactionId="xxx-xxx-xxx" | replace *000* with ** in Status

Try like this

 index=test TransactionId="xxx-xxx-xxx"| eval Status=replace(Status,"^000(.+)","\1") | fields Status

try a regex command:

|rex field=Status mode=sed "s/000//g"

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...