Splunk Search

rename & replace

Lynda_Sadi1275
Path Finder

Hello,

I'm new with SPL and Splunk, I have a folder that has 3 files, in the first file I have a column called Vblock, in the other two is called vCenter. I want to rename vCenter by Vblock in both files and then I want to replace the Vblock values as follows: when I have Vbc1 I replace it with Vblock1, when I have Vbc2 I replace it with Vblock 2, as I can do that?
I made this request |rename vCenter as Vblock |replace "vbc1" with "Vblock1", "vbc2" with "Vblock2" in Vblock but they do not replace the values of Vblock or I may not know how to check.

Thanks for your help.

Tags (2)
0 Karma

woodcock
Esteemed Legend

The rename command changes the field name whereas replace changes the field value so you have that part right. You just need some wildcards:

 |rename vCenter as Vblock |replace "*vbc1*" with "*Vblock1*", "*vbc2*" with "*Vblock2*" in Vblock
0 Karma

Lynda_Sadi1275
Path Finder

what is the role of the order coalesce

0 Karma

thambisetty
Super Champion

Hi,

You can do something like below,

| eval newfield=colesce(Vblock,vCenter)
| eval newfield=Case(newfield="Vbc1","vblock1",newfield="vbc2","vblock2")
————————————
If this helps, give a like below.
0 Karma

Lynda_Sadi1275
Path Finder

What does the coalesce command mean in this Splunk search?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!