Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF



Replaces field values with the values that you specify.

Replaces a single occurrence of the first string with another string in the specified fields. If you do not specify a one or more fields, the value is replaced in all fields.


replace (<wc-string> WITH <wc-string>)... [IN <field-list>]

Required arguments

Syntax: <string>
Description: Specify one or more field values and their replacements. You can use wildcard characters to match one or multiple terms.

Optional arguments

Syntax: <string> ...
Description: Specify a comma or space delimited list of one or more field names for the field value replacements. To replace values on _internal fields, you must specify the field name with the IN <fieldname> clause.


The replace command is a distributable streaming command. See Command types.

Non-wildcard replacement values specified later take precedence over those replacements specified earlier. For a wildcard replacement, fuller matches take precedence over lesser matches. To assure precedence relationships, you are advised to split the replace into two separate invocations. When using wildcard replacements, the result must have the same number of wildcards, or none at all. Wildcards ( * ) can be used to specify many values to replace, or replace values with.


1. Replace a value in all fields

Change any host value that ends with "localhost" to simply "localhost" in all fields.

... | replace *localhost WITH localhost

2. Replace a value in a specific field

Replace an IP address with a more descriptive name in the host field.

... | replace WITH localhost IN host

3. Change the value of two fields

Replaces the values in the start_month and end_month fields. You can separate the names in the field list with spaces or commas.

... | replace aug WITH August IN start_month end_month

4. Change the order of values in a field

In the host field, change the order of string values that contain the word localhost so that the string "localhost" precedes the other strings.

... | replace "* localhost" WITH "localhost *" IN host

5. Replace multiple values in a field

Replace the values in a field with more descriptive names. Separate the value replacements with comma.

... | replace 0 WITH Critical, 1 WITH Error IN msg_level

6. Replace empty strings

Search for an error message and replace empty strings with a whitespace.

This example will not work unless you have values that are actually the empty string, which is not the same as not having a value.

"Error exporting to XYZ :" | rex "Error exporting to XYZ:(?.*)" | replace "" WITH " " IN errmsg

7: Replace values in an internal field

Replace values of the internal field _time.

sourcetype=* | head 5 | eval _time="XYZ" | stats count BY _time | replace *XYZ* WITH *ALL* IN _time

See also

fillnull, rename


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the replace command.


This documentation applies to the following versions of Splunk Cloud: 6.6.3, 7.0.0, 7.0.2, 7.0.5, 7.0.3, 7.0.8, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7


Thank you for this feedback. I have updated the description and the example to explain that either commas or spaces can be used in the <field-list>. Really appreciate you taking the time to point this out!

Lstewart splunk, Splunker
August 5, 2019

Woodcock - The reason that fillnull is in the "See also" list is because one of the examples shows how to fill in empty values. The filldown command does not apply here.

Lstewart splunk, Splunker
August 5, 2019

The doc above says "field-list" is "a space delimited list of one or more field names", which works, however Splunk's own error message specifies a comma separated list:

Error in 'replace' command: Usage: replace [orig_str WITH new_str]+ [IN field1, field2, ...].

which also seems to work. Should the docs reflect both spaces and commas as valid delimiters?

July 22, 2019

If "fillnull" is in "See Also", then "filldown" should be, too. A global check in all "See Also" sections should be done to verify that any where that either exists, both exist.

September 9, 2017

The "rename" command should be in the "See Also" section. They are very similar: one changes the field "name", the other changes the field "value".

September 9, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters