Hi ,
I have a field called UniqueID which contains the following values..like A,B,C,D etc..Now For this field i want to replace D as 5 . how can i do it ??
ie. i need like
UniqueID
A
B
C
5
Please help
Crudely, you could replace certain field values like so:
... | eval UniqueID = if(UniqueID="D",5,UniqueID) | ...
If the set of replacements grows larger you could set up a lookup table of original and replaced values.
You could also make use of an automatic lookup table. So have a csv file with the following:
UniqueID,Output
A,A
B,B
C,C
D,5
Splunk will find the UniqueID and rename it to whatever is in the "Output" column.
So you can totally rename any field you like.
There's a tutorial here: http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Usefieldlookupstoaddinformationtoyourevent...
to walk you through automatic lookups.
I've only recently started using them, but they save a lot of hassle and shortens search strings drastically.
If you need any help, just ask. 🙂
Crudely, you could replace certain field values like so:
... | eval UniqueID = if(UniqueID="D",5,UniqueID) | ...
If the set of replacements grows larger you could set up a lookup table of original and replaced values.
You're now handling MV fields? when did they slip into the equation? You might want to start another question... Also, I second Ayn's question about why you use so many usernames on here... every so often I get an email that one user has commented, then you delete it and post as another user?
I've no idea about what you're talking about now. The original question was regarding how to exchange one value in an event for another. What you're trying to transform it to now, I do not understand.
go vote for this request 😉
http://splunk-base.splunk.com/answers/63129/splunkbase-feature-request
Two things:
Same thing?
... | eval field1 = if(field2=field3,field4,field5) | ...
Just insert fields as you like.
Yeah martin..this worked for me..thnx 🙂
Hi rakesh
looks like you're lost somewhere in splunk universe; on 24. Oct this years you asked the same http://splunk-base.splunk.com/answers/63109/can-i-replace-the-_raw-data-with-my-own-data and Ayn answered correct.
So, just use the force and you'll be happy 🙂
cheers,
MuS
this is exactly the same approach or you try
... | rex mode=sed field=
Yeah Actually i have asekd about the data inside the field this time ?? i dnt want to change entire data ..only the Data "D" i want to change ..can you pls help on that .