Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

replace

Description

Replaces field values with the values that you specify.

Replaces a single occurrence of the first string with another string in the specified fields. If you do not specify a one or more fields, the value is replaced in all fields.

Syntax

replace (<wc-string> WITH <wc-string>)... [IN <field-list>]

Required arguments

wc-string
Syntax: <string>
Description: Specify one or more field values and their replacements. You can use wildcard characters to match one or multiple terms.

Optional arguments

field-list
Syntax: <string> ...
Description: Specify a space delimited list of one or more field names for the field value replacements. Replacement values on _internal fields, require you to specify the field name with the IN <fieldname> clause.

Usage

The replace command is a distributable streaming command. See Command types.

Non-wildcard replacement values specified later take precedence over those replacements specified earlier. For a wildcard replacement, fuller matches take precedence over lesser matches. To assure precedence relationships, you are advised to split the replace into two separate invocations. When using wildcard replacements, the result must have the same number of wildcards, or none at all. Wildcards ( * ) can be used to specify many values to replace, or replace values with.

Examples

Example 1:

Change any host value that ends with "localhost" to simply "localhost".

... | replace *localhost WITH localhost IN host

Example 2:

Change the order of strings in host values so that "localhost" precedes the other strings.

... | replace "* localhost" WITH "localhost *" IN host

Example 3:

Change the value of two fields.

... | replace aug WITH August IN start_month end_month

Example 4:

Replace an IP address with a more descriptive name.

... | replace 127.0.0.1 WITH localhost IN host

Example 5:

Replace values of a field with more descriptive names.

... | replace 0 WITH Critical, 1 WITH Error IN msg_level

Example 6:

Search for an error message and replace empty strings with a whitespace. Note: This example will not work unless you have values that are actually the empty string, which is not the same as not having a value.

"Error exporting to XYZ :" | rex "Error exporting to XYZ:(?.*)" | replace "" WITH " " IN errmsg

Example 7:

Replace values of an internal field, _time.

sourcetype=* | head 5 | eval _time="XYZ" | stats count BY _time | replace *XYZ* WITH *ALL* IN _time

See also

fillnull, rename

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the replace command.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:Replace:4.1&oldid=965280"
PREVIOUS
rename 		  NEXT
rest

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.11, 4.3.1, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 6.3.12, 6.3.14, 6.3.2

Comments

If "fillnull" is in "See Also", then "filldown" should be, too. A global check in all "See Also" sections should be done to verify that any where that either exists, both exist.

Woodcock
September 9, 2017

The "rename" command should be in the "See Also" section. They are very similar: one changes the field "name", the other changes the field "value".

Woodcock
September 9, 2017

...|rex field=_raw "[a-z]\,\sMESSAGE=(?<ErrorMessage>[a-zA-Z.:_ \-0-9]{22,})"| stats count by ErrorMessage |replace XXX-XX-* With 000 in ErrorMessage

The above command does not seem to work with or without quotes where ErrorMessage is a string type field, any idea what is wrong??

Bramhastra
July 30, 2015

Eric, please visit the Splunk IRC channel on EFNET or post a more detailed question to answers.splunk.com.

Rachel, Splunker
November 15, 2012

this command not working,what is wrong?

Eric1981
November 8, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters