The replace replaces text in one or more fields in the search result. Supports literal string replacement and wildcard patterns using *.
replace '<pattern>' WITH '<replacement>' [, '<pattern>' WITH '<replacement>']... IN <field-name>[, <field-name>]...
- pattern: mandatory. The text pattern you want to replace.
- replacement: mandatory. The text you want to replace with.
- field-name: mandatory. One or more field names where the replacement should occur.
This example shows replacing text in one field.
source=accounts
| replace "IL" WITH "Illinois" IN state
| fields state
Expected output:
fetched rows / total rows = 4/4
+----------+
| state |
|----------|
| Illinois |
| TN |
| VA |
| MD |
+----------+
This example shows replacing text in multiple fields.
source=accounts
| replace "IL" WITH "Illinois" IN state, address
| fields state, address
Expected output:
fetched rows / total rows = 4/4
+----------+----------------------+
| state | address |
|----------+----------------------|
| Illinois | 880 Holmes Lane |
| TN | 671 Bristol Street |
| VA | 789 Madison Street |
| MD | 467 Hutchinson Court |
+----------+----------------------+
This example shows using replace with other commands in a query pipeline.
source=accounts
| replace "IL" WITH "Illinois" IN state
| where age > 30
| fields state, age
Expected output:
fetched rows / total rows = 3/3
+----------+-----+
| state | age |
|----------+-----|
| Illinois | 32 |
| TN | 36 |
| MD | 33 |
+----------+-----+
This example shows using multiple pattern/replacement pairs in a single replace command. The replacements are applied sequentially.
source=accounts
| replace "IL" WITH "Illinois", "TN" WITH "Tennessee" IN state
| fields state
Expected output:
fetched rows / total rows = 4/4
+-----------+
| state |
|-----------|
| Illinois |
| Tennessee |
| VA |
| MD |
+-----------+
Since replace command only supports plain string literals, you can use LIKE command with replace for pattern matching needs.
source=accounts
| where LIKE(address, '%Holmes%')
| replace "Holmes" WITH "HOLMES" IN address
| fields address, state, gender, age, city
Expected output:
fetched rows / total rows = 1/1
+-----------------+-------+--------+-----+--------+
| address | state | gender | age | city |
|-----------------+-------+--------+-----+--------|
| 880 HOLMES Lane | IL | M | 32 | Brogan |
+-----------------+-------+--------+-----+--------+
Replace values that end with a specific pattern. The wildcard * matches any prefix.
source=accounts
| replace "*IL" WITH "Illinois" IN state
| fields state
Expected output:
fetched rows / total rows = 4/4
+----------+
| state |
|----------|
| Illinois |
| TN |
| VA |
| MD |
+----------+
Replace values that start with a specific pattern. The wildcard * matches any suffix.
source=accounts
| replace "IL*" WITH "Illinois" IN state
| fields state
Expected output:
fetched rows / total rows = 4/4
+----------+
| state |
|----------|
| Illinois |
| TN |
| VA |
| MD |
+----------+
Use wildcards in both pattern and replacement to capture and reuse matched portions. The number of wildcards must match in pattern and replacement.
source=accounts
| replace "* Lane" WITH "Lane *" IN address
| fields address
Expected output:
fetched rows / total rows = 4/4
+----------------------+
| address |
|----------------------|
| Lane 880 Holmes |
| 671 Bristol Street |
| 789 Madison Street |
| 467 Hutchinson Court |
+----------------------+
Use multiple wildcards to transform patterns. Each wildcard in the replacement substitutes the corresponding captured value.
source=accounts
| replace "* *" WITH "*_*" IN address
| fields address
Expected output:
fetched rows / total rows = 4/4
+----------------------+
| address |
|----------------------|
| 880_Holmes Lane |
| 671_Bristol Street |
| 789_Madison Street |
| 467_Hutchinson Court |
+----------------------+
When replacement has zero wildcards, all matching values are replaced with the literal replacement string.
source=accounts
| replace "*IL*" WITH "Illinois" IN state
| fields state
Expected output:
fetched rows / total rows = 4/4
+----------+
| state |
|----------|
| Illinois |
| TN |
| VA |
| MD |
+----------+
Use \* to match literal asterisk characters (\* = literal asterisk, \\ = literal backslash).
source=accounts
| eval note = 'price: *sale*'
| replace 'price: \*sale\*' WITH 'DISCOUNTED' IN note
| fields note
Expected output:
fetched rows / total rows = 4/4
+------------+
| note |
|------------|
| DISCOUNTED |
| DISCOUNTED |
| DISCOUNTED |
| DISCOUNTED |
+------------+
Use wildcards in pattern but none in replacement to create a fixed output.
source=accounts
| eval test = 'prefix-value-suffix'
| replace 'prefix-*-suffix' WITH 'MATCHED' IN test
| fields test
Expected output:
fetched rows / total rows = 4/4
+---------+
| test |
|---------|
| MATCHED |
| MATCHED |
| MATCHED |
| MATCHED |
+---------+
Combine escaped asterisks (literal) with wildcards for complex patterns.
source=accounts
| eval label = 'file123.txt'
| replace 'file*.*' WITH '\**.*' IN label
| fields label
Expected output:
fetched rows / total rows = 4/4
+----------+
| label |
|----------|
| *123.txt |
| *123.txt |
| *123.txt |
| *123.txt |
+----------+
- Wildcards:
*matches zero or more characters (case-sensitive) - Replacement wildcards must match pattern wildcard count, or be zero
- Escape sequences:
\*(literal asterisk),\\(literal backslash)