How To Replace Any String Or Values In A Specific Event In Splunk

How To Replace Any String Or Values In A Specific Event In Splunk

Hello everyone !!

Hope all of you are enjoying these blog posts. Today we have come with a new magic trick of Splunk. All of know that in the Search Head when we perform any query we take the help of SPL command.

We all know that we can easily replace any string or values in all events.

Now we will show you more advance functions of SPL commands. Have you ever thought of replacing any string or values in a particular event ????

We will show you how to replace any string or values in a specific event in Splunk. Follow the below steps : –

Step 1 :
See below we have uploaded a sample data .

See we are getting data from replace index and sourcetype name is replacelog. We are getting 5 events from this index.

Step 2:
We have to write a query to replace any string in a specific event.

Query :

index="replace" sourcetype="replacelog"
| streamstats count
| eval _raw=if(count=2,replace(_raw,"Raj","RAJA"),_raw)

Output :

Description :

In the above query we are getting data from replace index and sourcetype name in replacelog. After that we have used count function with streamstats command . So it creates a field called count. In count field you can find numbers as 1,2,3….. and so on. This command basically creates a number of each of the events . Say for first event count is equal to 1, for second event count is equal to 2 and so on. At last we have used if function with eval command. Here _raw is an internal field of splunk. In between the if function we have used a condition. If count is equal to 2 then it will replace Raj string with RAJA in _raw field. Otherwise it will be as it id.So only in the second event Raj will be replaced with RAJAReplace function is used for replace any value in a particular field.

Hope this has helped you in achieving the below requirement without fail !!

How To Replace Any String Or Values In A Specific Event In Splunk

Happy Splunking !!

Advertisements

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.