https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343941#M101891 <P>Yeah, in my query on dashboard</P> Mon, 12 Jun 2017 20:36:45 GMT exocore123 2017-06-12T20:36:45Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343930#M101880 <P>I had a field of this value </P> <PRE><CODE>nameSpaces = ["url1"] nameSpaces = ["url1", "url2"] </CODE></PRE> <P>I got <CODE>rex</CODE> to change <CODE>["url1", "url2"]</CODE> into <CODE>"url1, url2"</CODE><BR /> However, I am trying to change url1 to a label1, and url2 to label2, is there a way I can change it so the outcome from<BR /> <CODE>"url1, url2"</CODE> to <CODE>"label1, label2"</CODE></P> Mon, 12 Jun 2017 16:31:27 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343930#M101880 exocore123 2017-06-12T16:31:27Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343931#M101881 <P>I saw I can use rex sed mode, but I am a bit confused on mapping the string. Originally I used spath and then replace for the labels, but I noticed they showed up as single records, and messed up the total count for the logs, so I am trying to maintain the proper length of the array. I was thinking <CODE>rex mode=sed "s/url1/label1"</CODE></P> Mon, 12 Jun 2017 16:32:31 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343931#M101881 exocore123 2017-06-12T16:32:31Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343932#M101882 <P>Try like this</P> <PRE><CODE>your current search giving field nameSpaces | rex field=nameSpaces mode=sed "s/url/label/g" </CODE></PRE> Mon, 12 Jun 2017 16:43:02 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343932#M101882 somesoni2 2017-06-12T16:43:02Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343933#M101883 <P>Perfect! what about if I had url1 and url3, and they're both the same, can I somehow condense it to <CODE>rex field=nameSpaces mode=sed "s/url1 | url3/label/g"</CODE> as well as multiple fields?</P> Mon, 12 Jun 2017 16:51:02 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343933#M101883 exocore123 2017-06-12T16:51:02Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343934#M101884 <P>You could do like this</P> <PRE><CODE>...| rex field=nameSpaces mode=sed "s/(ur1|url3)/label/g" </CODE></PRE> Mon, 12 Jun 2017 17:02:56 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343934#M101884 somesoni2 2017-06-12T17:02:56Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343935#M101885 <P>Thanks! What about <CODE>field=nameSpaces|nameSpaces2 mode=sed "s/(ur1|url3)/label/g"</CODE>? Something similar? I tried that and did not work</P> Mon, 12 Jun 2017 17:07:35 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343935#M101885 exocore123 2017-06-12T17:07:35Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343936#M101886 <P>You can't specify multiple fields in <CODE>field</CODE> attribute of rex command. You can either run rex multiple time for each nameSpace field, or use foreach command like this </P> <PRE><CODE>... | foreach nameSpaces* [rex field="&lt;&lt;FIELD&gt;&gt;" mode=sed "s/(url1|url3)/label/g" ] </CODE></PRE> Mon, 12 Jun 2017 17:19:22 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343936#M101886 somesoni2 2017-06-12T17:19:22Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343937#M101887 <P>well technically my nameSpaces are two different fields (name wise), so I guess I am going to have to make duplicate rex lines then, maybe possibly <CODE>rename</CODE>?</P> Mon, 12 Jun 2017 17:28:52 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343937#M101887 exocore123 2017-06-12T17:28:52Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343938#M101888 <P>I accidentally added a space after nameSpace in above foreach command. I'm using <CODE>*</CODE> as wildcard so any field which starts with nameSpace will get that replacement.</P> <P>And yes, other option would be to add multiple rex commands for each nameSpaceN field.</P> Mon, 12 Jun 2017 17:33:00 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343938#M101888 somesoni2 2017-06-12T17:33:00Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343939#M101889 <P>I got an <CODE>"Unencoded &lt;"</CODE> error when using <CODE>foreach nameSpaces* [rex field="&lt;&lt;FIELD&gt;&gt;" mode=sed "s/(url1|url3)/label/g" ]</CODE></P> Mon, 12 Jun 2017 18:03:26 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343939#M101889 exocore123 2017-06-12T18:03:26Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343940#M101890 <P>Are you trying to run it from dashboard?</P> Mon, 12 Jun 2017 18:57:41 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343940#M101890 somesoni2 2017-06-12T18:57:41Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343941#M101891 <P>Yeah, in my query on dashboard</P> Mon, 12 Jun 2017 20:36:45 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343941#M101891 exocore123 2017-06-12T20:36:45Z https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343942#M101892 <P>Guessing you're updating the dashboard xml directly, use the foreach like this</P> <PRE><CODE>...| foreach nameSpaces* [rex field="&amp;lt;&amp;lt;FIELD&amp;gt;&amp;gt;" mode=sed "s/(url1|url3)/label/g" ] </CODE></PRE> Mon, 12 Jun 2017 21:01:05 GMT https://community.splunk.com/t5/Splunk-Search/replacing-parts-inside-string/m-p/343942#M101892 somesoni2 2017-06-12T21:01:05Z