Spread our blog

How To Replace Any String Or Values In All Events In Splunk

Hello everyone !!

Hope all of you are enjoying these blog posts. Today we have come with a new magic trick of Splunk. All of know that in the Search Head when we perform any query we take the help of SPL command.

We all know that we can  replace any string or values in events from the back-end using some attribute in props.conf. It is the responsibility of Splunk Admin to do this. Now we will show the power Splunk Developer.

Now we will show you more advance functions of SPL commands. Have you ever thought of replacing any string or values in all events after the data indexed in the indexer ???? , You might be thinking “Splunk Replace command” but NO, this post will have some other solution to this problem !!

We will show you how to replace any string or values in all events in Splunk. Follow the below steps : –

Step 1 :
See below we have uploaded a sample data .

See we are getting data from replace index and sourcetype name is replacelog. We are getting 5 events from this index.

Step 2:
We have to write a query to replace any string in all  events.

Query :

index="replace" sourcetype="replacelog"
| rex field=_raw mode=sed "s/Raj/RAJA/g"

Output :

Description :

In the above query we are getting data from replace index and sourcetype name in replacelog. After that we have used field and mode attribute with rex command. Then we have used a regular expression. Here “s” is used for substituting after “/” we have to use  regex or string which we want to substitute ( Raj ). Then again we have used one “/”, after this we have to write regex or string (RAJA) which will come in place of substituted portion. At last “/g” is used for globally. So in all the events Raj will replaced by RAJA in our case. You can find more information from Usage of Splunk commands  : REX .

Hope this has helped you in achieving the below requirement without fail !!

How To Replace Any String Or Values In All Events In Splunk

Happy Splunking !!

What’s your Reaction?
+1
+1
1
+1
+1
+1
3
+1
+1

Spread our blog
Previous articleLINE_BREAKER
Next articleHow To Replace Any String Or Values In A Specific Event In Splunk
splunkgeek
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

RELATED ARTICLESMORE FROM AUTHOR

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here