Documentation > Splunk > Search Reference > replace

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

replace

Contents

replace

Synopsis

Replaces values of specified fields with a specified new value.

Syntax

replace (<wc-str> with <wc-str>)+ [in <field-list>]

Required arguments

wc-string
Syntax: <string>
Description: Specify one or more field values and their replacements. You can include wildcards to match.

Optional arguments

field-list
Syntax: <string>
Description: Specify a comma-delimited list of field names in which to do the field value replacement.

Description

Replaces a single occurrence of the first string with the second within the specified fields (or all fields if none were specified). Non-wildcard replacements specified later take precedence over those specified earlier. For wildcard replacement, fuller matches take precedence over lesser matches. To assure precedence relationships, one is advised to split the replace into two separate invocations. When using wildcarded replacements, the result must have the same number of wildcards, or none at all. Wildcards (*) can be used to specify many values to replace, or replace values with.

Examples

Example 1: Change any host value that ends with "localhost" to "localhost".

... | replace *localhost with localhost in host

Example 2: Example usage.

... | replace "* localhost" with "localhost *" in host

Example 3: Change the value of two fields.

... | replace aug with August in start_month end_month

Example 5: Replace an IP address with a more descriptive name.

... | replace 127.0.0.1 with localhost in host

Example 6: Replace values of a field with more descriptive names.

... | replace 0 with Critical, 1 with Error in msg_level

Example 7: Search for an error message and replace empty strings with a whitespace. Note: This example won't work unless you have values that are actually the empty string, which is not the same as not having a value.

"Error exporting to XYZ :" | rex "Error exporting to XYZ:(?.*)" | replace "" with " " in errmsg


See also

fillnull, rename

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the replace command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Replace"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


Comments

Eric, please visit the Splunk IRC channel on EFNET or post a more detailed question to answers.splunk.com.

Rachel, Splunker
November 15, 2012

this command not working,what is wrong?

Eric1981
November 8, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!