Usage of Splunk commands : REPLACE

Usage of Splunk commands  : REPLACE

Usage of Splunk commands : REPLACE is as follows

  • Replace command replaces the field values with the another values that you specify.
  • This command will replace the string with the another string in the specified fields.
  • If you don’t specify one or more field then the value will be replaced in the all fields.

 

Find below the skeleton of the usage of the command “replace” in SPLUNK :

 

replace  [ <string>  WITH  <string>   IN  <field-list> ]

 

Example 1:

index=_internal sourcetype=splunkd_ui_access
| eval AA="GET"
| table method,AA
| dedup method,AA
| replace GET WITH GOOD

Result :

replace-nsf

Explanation:

In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”. By the “eval” command we have created “AA” field and the value in this field is “GET”. Then by the table command we have taken the “method” and “AA” fields.Here “method” is an existing field name in the “_internal” index. By the “dedup” command we have  removed the duplicate values . At last we have replaced the value “GET” with “GOOD” by the “replace” command.Here we don’t specify any field name with the “replace” command so the value will be replaced in the all fields.Here both in the “method” field and “AA” field “GET” is replaced by the “GOOD”.

*************************************************************************************

Example 2:

index=_internal sourcetype=splunkd_ui_access 
| eval AA="GET" 
| table method,AA 
| dedup method,AA 
| replace GET WITH GOOD IN method

 

Result:

replace-sf

Explanation:

In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”. By the “eval” command we have created “AA” field and the value in this field is “GET”. Then by the table command we have taken the “method” and “AA” fields.Here “method” is an existing field name in the “_internal” index. By the “dedup” command we have  removed the duplicate values . At last we have replaced the value “GET” with “GOOD” by the “replace” command.Here we  specify the “method” field  with the “replace” command so the value will be replaced only in the “method” field.

*************************************************************************************

Example 3:

index=_internal sourcetype=splunkd_ui_access
| table method
| dedup method
| replace "*T" WITH GOOD

Result:

replace-wc

Explanation:

In the above query “_internal”  is the index and sourcetype name is “splunkd_ui_access”. Then by the “table” command we have taken the “method” field.Here method is an existing field name in the “_internal” index. By the “dedup” command we have  removed the duplicate values . At last we have replaced the all the “method” values with “GOOD” which ends  with T by the “replace” command.

 

Now you can effectively utilize “replace”  command in  your daily use to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk commands  : REPLACE

 

HAPPY SPLUNKING !!

 

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.