How To Replace Any String Or Values In All Events In Splunk

How To Replace Any String Or Values In All Events In Splunk

Hello everyone !!

Hope all of you are enjoying these blog posts. Today we have come with a new magic trick of Splunk. All of know that in the Search Head when we perform any query we take the help of SPL command.

We all know that we can  replace any string or values in events from the back-end using some attribute in props.conf. It is the responsibility of Splunk Admin to do this. Now we will show the power Splunk Developer.

Now we will show you more advance functions of SPL commands. Have you ever thought of replacing any string or values in all events after the data indexed in the indexer ????

We will show you how to replace any string or values in all events in Splunk. Follow the below steps : –

Step 1 :
See below we have uploaded a sample data .

See we are getting data from replace index and sourcetype name is replacelog. We are getting 5 events from this index.

Step 2:
We have to write a query to replace any string in all  events.

Query :

index="replace" sourcetype="replacelog"
| rex field=_raw mode=sed "s/Raj/RAJA/g"

Output :

Description :

In the above query we are getting data from replace index and sourcetype name in replacelog. After that we have used field and mode attribute with rex command. Then we have used a regular expression. Here “s” is used for substituting after “/” we have to use  regex or string which we want to substitute ( Raj ). Then again we have used one “/”, after this we have to write regex or string (RAJA) which will come in place of substituted portion. At last “/g” is used for globally. So in all the events Raj will replaced by RAJA in our case. You can find more information from Usage of Splunk commands  : REX .

Hope this has helped you in achieving the below requirement without fail !!

How To Replace Any String Or Values In All Events In Splunk

Happy Splunking !!

Advertisements

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.