replace
replace
Synopsis
Replaces values of specified fields with a specified new value.
Syntax
replace (<wc-str> with <wc-str>)+ [in <field-list>]
Required arguments
- wc-string
- Syntax: <string>
- Description: Specify one or more field values and their replacements. You can include wildcards to match.
Optional arguments
- field-list
- Syntax: <string>
- Description: Specify a comma-delimited list of field names in which to do the field value replacement.
Description
Replaces a single occurrence of the first string with the second within the specified fields (or all fields if none were specified). Non-wildcard replacements specified later take precedence over those specified earlier. For wildcard replacement, fuller matches take precedence over lesser matches. To assure precedence relationships, one is advised to split the replace into two separate invocations. When using wildcarded replacements, the result must have the same number of wildcards, or none at all. Wildcards (*) can be used to specify many values to replace, or replace values with.
Examples
Example 1: Change any host value that ends with "localhost" to "localhost".
... | replace *localhost with localhost in hostExample 2: Example usage
... | replace "* localhost" with "localhost *" in hostExample 3: Example usage
... | replace aug with August in start_month end_monthExample 4: Example usage
... | replace *localhost with localhost in hostExample 5: Example usage
... | replace 127.0.0.1 with localhost in hostExample 6: Example usage
... | replace 0 with Critical, 1 with Error in msg_levelExample 7: Example usage
... | replace 127.0.0.1 with localhostSee also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the replace command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.