Solved: Can we replace certain value in field ??

rakesh_498115 · ‎12-13-2012

Hi ,

I have a field called UniqueID which contains the following values..like A,B,C,D etc..Now For this field i want to replace D as 5 . how can i do it ??

ie. i need like

UniqueID
A
B
C
5

Please help

martin_mueller · ‎12-13-2012

Crudely, you could replace certain field values like so:

... | eval UniqueID = if(UniqueID="D",5,UniqueID) | ...

If the set of replacements grows larger you could set up a lookup table of original and replaced values.

View solution in original post

watsm10 · ‎12-14-2012

You could also make use of an automatic lookup table. So have a csv file with the following:

UniqueID,Output

A,A

B,B

C,C

D,5

Splunk will find the UniqueID and rename it to whatever is in the "Output" column.
So you can totally rename any field you like.

There's a tutorial here: http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Usefieldlookupstoaddinformationtoyourevent...
to walk you through automatic lookups.

I've only recently started using them, but they save a lot of hassle and shortens search strings drastically.

If you need any help, just ask. 🙂

martin_mueller · ‎12-13-2012

Crudely, you could replace certain field values like so:

... | eval UniqueID = if(UniqueID="D",5,UniqueID) | ...

If the set of replacements grows larger you could set up a lookup table of original and replaced values.

Drainy · ‎12-14-2012

You're now handling MV fields? when did they slip into the equation? You might want to start another question... Also, I second Ayn's question about why you use so many usernames on here... every so often I get an email that one user has commented, then you delete it and post as another user?

Ayn · ‎12-14-2012

I've no idea about what you're talking about now. The original question was regarding how to exchange one value in an event for another. What you're trying to transform it to now, I do not understand.

MuS · ‎12-14-2012

go vote for this request 😉

http://splunk-base.splunk.com/answers/63129/splunkbase-feature-request

Ayn · ‎12-14-2012

Two things:

You're not enclosing "yes" and "no" in quotes, so you're telling Splunk to use the values of the FIELDS "yes" and "no", not the actual strings.
Why are you using multiple usernames? This confuses and annoys people.

martin_mueller · ‎12-14-2012

Same thing?

... | eval field1 = if(field2=field3,field4,field5) | ...

Just insert fields as you like.

rakesh_498115 · ‎12-13-2012

Yeah martin..this worked for me..thnx 🙂

MuS · ‎12-13-2012

Hi rakesh

looks like you're lost somewhere in splunk universe; on 24. Oct this years you asked the same http://splunk-base.splunk.com/answers/63109/can-i-replace-the-_raw-data-with-my-own-data and Ayn answered correct.

So, just use the force and you'll be happy 🙂

cheers,

MuS

MuS · ‎12-13-2012

this is exactly the same approach or you try

... | rex mode=sed field= "s/#\d+//"

rakesh_498115 · ‎12-13-2012

Yeah Actually i have asekd about the data inside the field this time ?? i dnt want to change entire data ..only the Data "D" i want to change ..can you pls help on that .

Can we replace certain value in field ??

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases