replace
Description
Replaces field values in your search results with the values that you specify. Does not replace values in fields generated by stats
or eval
functions. If you do not specify a field, the value is replaced in all non-generated fields.
Syntax
replace (<wc-string> WITH <wc-string>)... [IN <field-list>]
Required arguments
- wc-string
- Syntax: <string>
- Description: Specify one or more field values and their replacements. You can use wildcard characters to match one or multiple terms.
Optional arguments
- field-list
- Syntax: <string> ...
- Description: Specify a comma or space delimited list of one or more field names for the field value replacements. To replace values on
_internal
fields, you must specify the field name with the IN <fieldname> clause.
Usage
The replace
command is a distributable streaming command. See Command types.
Non-wildcard replacement values specified later take precedence over those replacements specified earlier. For a wildcard replacement, fuller matches take precedence over lesser matches. To assure precedence relationships, you are advised to split the replace into two separate invocations. When using wildcard replacements, the result must have the same number of wildcards, or none at all. Wildcards ( * ) can be used to specify many values to replace, or replace values with.
Examples
1. Replace a value in all fields
Change any host value that ends with "localhost" to simply "localhost" in all fields.
... | replace *localhost WITH localhost
2. Replace a value in a specific field
Replace an IP address with a more descriptive name in the host
field.
... | replace 127.0.0.1 WITH localhost IN host
3. Change the value of two fields
Replaces the values in the start_month
and end_month
fields. You can separate the names in the field list with spaces or commas.
... | replace aug WITH August IN start_month end_month
4. Change the order of values in a field
In the host field, change the order of string values that contain the word localhost
so that the string "localhost" precedes the other strings.
... | replace "* localhost" WITH "localhost *" IN host
5. Replace multiple values in a field
Replace the values in a field with more descriptive names. Separate the value replacements with comma.
... | replace 0 WITH Critical, 1 WITH Error IN msg_level
6. Replace empty strings
Search for an error message and replace empty strings with a whitespace.
This example will not work unless you have values that are actually the empty string, which is not the same as not having a value.
"Error exporting to XYZ :" | rex "Error exporting to XYZ:(?.*)" | replace
"" WITH " " IN errmsg
7: Replace values in an internal field
Replace values of the internal field _time
.
sourcetype=* | head 5 | eval _time="XYZ" | stats count BY _time | replace *XYZ* WITH *ALL* IN _time
See also
- Commands
- rename
rename | require |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14
Feedback submitted, thanks!