Spread our blog

Usage of Splunk commands  : REPLACE

Usage of Splunk commands : REPLACE is as follows

  • Replace command replaces the field values with the another values that you specify.
  • This command will replace the string with the another string in the specified fields.
  • If you don’t specify one or more field then the value will be replaced in the all fields.

 

Find below the skeleton of the usage of the command “replace” in SPLUNK :

 

replace  [ <string>  WITH  <string>   IN  <field-list> ]

 

Example 1:

index=_internal sourcetype=splunkd_ui_access
| eval AA="GET"
| table method,AA
| dedup method,AA
| replace GET WITH GOOD

Result :

replace-nsf

Explanation:

In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”. By the “eval” command we have created “AA” field and the value in this field is “GET”. Then by the table command we have taken the “method” and “AA” fields.Here “method” is an existing field name in the “_internal” index. By the “dedup” command we have  removed the duplicate values . At last we have replaced the value “GET” with “GOOD” by the “replace” command.Here we don’t specify any field name with the “replace” command so the value will be replaced in the all fields.Here both in the “method” field and “AA” field “GET” is replaced by the “GOOD”.

*************************************************************************************

Example 2:

index=_internal sourcetype=splunkd_ui_access 
| eval AA="GET" 
| table method,AA 
| dedup method,AA 
| replace GET WITH GOOD IN method

 

Result:

replace-sf

Explanation:

In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”. By the “eval” command we have created “AA” field and the value in this field is “GET”. Then by the table command we have taken the “method” and “AA” fields.Here “method” is an existing field name in the “_internal” index. By the “dedup” command we have  removed the duplicate values . At last we have replaced the value “GET” with “GOOD” by the “replace” command.Here we  specify the “method” field  with the “replace” command so the value will be replaced only in the “method” field.

*************************************************************************************

You can also know about :  Usage of Splunk commands : REGEX

Example 3:

index=_internal sourcetype=splunkd_ui_access
| table method
| dedup method
| replace "*T" WITH GOOD

Result:

replace-wc

Explanation:

In the above query “_internal”  is the index and sourcetype name is “splunkd_ui_access”. Then by the “table” command we have taken the “method” field.Here method is an existing field name in the “_internal” index. By the “dedup” command we have  removed the duplicate values . At last we have replaced the all the “method” values with “GOOD” which ends  with T by the “replace” command.

 

Now you can effectively utilize “replace”  command in  your daily use to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk commands  : REPLACE

 

HAPPY SPLUNKING !!

 

What’s your Reaction?
+1
+1
+1
+1
2
+1
+1
+1

Spread our blog
Previous articleHTTP Event Collector(HEC) in Splunk
Next articleUsage of Splunk commands : EREX
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

LEAVE A REPLY

Please enter your comment!
Please enter your name here