setfields
Description
Sets the field values for all results to a common value.
Sets the value of the given fields to the specified values for each event in the result set. Delimit multiple definitions with commas. Missing fields are added, present fields are overwritten.
Whenever you need to change or define field values, you can use the more general purpose eval
command. See usage of an eval expression to set the value of a field in Example 1.
Syntax
setfields <setfields-arg>, ...
Required arguments
- <setfields-arg>
- Syntax: string="<string>", ...
- Description: A key-value pair, with the value quoted. If you specify multiple key-value pairs, separate each pair with a comma. Standard key cleaning is performed. This means all non-alphanumeric characters are replaced with '_' and leading '_' are removed.
Examples
Example 1:
Specify a value for the ip and foo fields.
... | setfields ip="10.10.10.10", foo="foo bar"
To do this with the eval command:
... | eval ip="10.10.10.10" | eval foo="foo bar"
See also
set | sichart |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!