setfields
setfields
Synopsis
Sets the field values for all results to a common value.
Syntax
setfields <setfields-arg>, ...
Required arguments
- <setfields-arg>
- Syntax: string="<string>"
- Description: A key-value pair with quoted value. Standard key cleaning will be performed, ie all non-alphanumeric characters will be replaced with '_' and leading '_' will be removed.
Description
Sets the value of the given fields to the specified values for each event in the result set. Delimit multiple definitions with commas. Missing fields are added, present fields are overwritten.
Whenever you need to change or define field values, you can use the more general purpose eval command. See usage of an eval expression to set the value of a field in Example 1.
Examples
Example 1: Specify a value for the ip and foo fields.
... | setfields ip="10.10.10.10", foo="foo bar"To do this with the eval command:
... | eval ip="10.10.10.10" | eval foo="foo bar"See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the setfields command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 View the Article History for its revisions.