Splunk Examples: Renaming/Replacing Fields and Values

Splunk Examples: Renaming/Replacing Fields and Values

Last updated:
Table of Contents

WIP Alert This is a work in progress. Current information is correct but more content may be added in the future.

Splunk version used: 8.x. Examples use the tutorial data from Splunk

Rename field with eval

Just use eval to create a new field that's a copy an another one:

your-search-criteria
| eval NewField=OldField

added-new-field-based-on-current-one Created a new field called NewField based upon Code

Replace value using case

TEMPLATE: | eval newName=case(criteria1, value1, criteria2, value2, true(), value_other)

Example: If value is "B", replace with "Biscuits". If value is "C", replace with "Carrots".

your-search-criteria
| eval Code=case(Code="B", "Biscuits", Code="C", "Carrots", true(), "Other")
| table _raw, Code

source-data Sample data, (source_type is vendor_sales)
  
data-with-replaced-values After: replaced values

splunk

Archive

Dialogue & Discussion