Usage of Splunk commands : REPLACE
Usage of Splunk commands : REPLACE is as follows
- Replace command replaces the field values with the another values that you specify.
- This command will replace the string with the another string in the specified fields.
- If you don’t specify one or more field then the value will be replaced in the all fields.
Find below the skeleton of the usage of the command “replace” in SPLUNK :
replace [ <string> WITH <string> IN <field-list> ]
Example 1:
index=_internal sourcetype=splunkd_ui_access | eval AA="GET" | table method,AA | dedup method,AA | replace GET WITH GOOD
Result :
Explanation:
In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”. By the “eval” command we have created “AA” field and the value in this field is “GET”. Then by the table command we have taken the “method” and “AA” fields.Here “method” is an existing field name in the “_internal” index. By the “dedup” command we have removed the duplicate values . At last we have replaced the value “GET” with “GOOD” by the “replace” command.Here we don’t specify any field name with the “replace” command so the value will be replaced in the all fields.Here both in the “method” field and “AA” field “GET” is replaced by the “GOOD”.
*************************************************************************************
Example 2:
index=_internal sourcetype=splunkd_ui_access | eval AA="GET" | table method,AA | dedup method,AA | replace GET WITH GOOD IN method
Result:
Explanation:
In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”. By the “eval” command we have created “AA” field and the value in this field is “GET”. Then by the table command we have taken the “method” and “AA” fields.Here “method” is an existing field name in the “_internal” index. By the “dedup” command we have removed the duplicate values . At last we have replaced the value “GET” with “GOOD” by the “replace” command.Here we specify the “method” field with the “replace” command so the value will be replaced only in the “method” field.
*************************************************************************************
Example 3:
index=_internal sourcetype=splunkd_ui_access | table method | dedup method | replace "*T" WITH GOOD
Result:
Explanation:
In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”. Then by the “table” command we have taken the “method” field.Here method is an existing field name in the “_internal” index. By the “dedup” command we have removed the duplicate values . At last we have replaced the all the “method” values with “GOOD” which ends with T by the “replace” command.
Now you can effectively utilize “replace” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : REPLACE
HAPPY SPLUNKING !!