https://community.splunk.com/t5/Splunk-Search/Replace-random-string-in-a-field/m-p/423816#M121616 <P>Hi team,</P> <P>I've 1 field named - 'URI' coming in micro service log dump.</P> <P>Example Values of URI field is like below - </P> <P>/mobile/login<BR /> /desktop/login<BR /> /account/100123445/details<BR /> /account/100123999/details<BR /> /public/account/XYZAASWDDSSSS/transactions<BR /> /public/account/XYZQWERTS/transactions</P> <P>Now I'm just trying to see successful or failure transactions list sorted by the URI.</P> <P>My example query - <BR /> index=mslogs "successful"|stats count by URI</P> <P>Now the problem is, the result is coming as - <BR /> URI Count<BR /> /mobile/login 50<BR /> /desktop/login 50<BR /> /account/100123445/details 1<BR /> /account/100123999/details 1<BR /> /public/account/XYZAASWDDSSSS/transactions 1<BR /> /public/account/XYZQWERTS/transactions 1</P> <P>Obviously, I need this to show like - </P> <P>/mobile/login 50<BR /> /desktop/login 50<BR /> /account/<EM>/details 2<BR /> /public/account/</EM>/transactions 2</P> <P>Basically I want to remove the random string part in the 'URI' field. Different URI has different random parts and those random parts are present differently in the URI. I'm willing to write regex to handle all the scenario in URI, but I want to replace them with '*' so that if I do a 'stats' or timechart, single URI.</P> <P>Please suggest.</P> Thu, 01 Aug 2019 09:51:05 GMT pjtbasu 2019-08-01T09:51:05Z https://community.splunk.com/t5/Splunk-Search/Replace-random-string-in-a-field/m-p/423816#M121616 <P>Hi team,</P> <P>I've 1 field named - 'URI' coming in micro service log dump.</P> <P>Example Values of URI field is like below - </P> <P>/mobile/login<BR /> /desktop/login<BR /> /account/100123445/details<BR /> /account/100123999/details<BR /> /public/account/XYZAASWDDSSSS/transactions<BR /> /public/account/XYZQWERTS/transactions</P> <P>Now I'm just trying to see successful or failure transactions list sorted by the URI.</P> <P>My example query - <BR /> index=mslogs "successful"|stats count by URI</P> <P>Now the problem is, the result is coming as - <BR /> URI Count<BR /> /mobile/login 50<BR /> /desktop/login 50<BR /> /account/100123445/details 1<BR /> /account/100123999/details 1<BR /> /public/account/XYZAASWDDSSSS/transactions 1<BR /> /public/account/XYZQWERTS/transactions 1</P> <P>Obviously, I need this to show like - </P> <P>/mobile/login 50<BR /> /desktop/login 50<BR /> /account/<EM>/details 2<BR /> /public/account/</EM>/transactions 2</P> <P>Basically I want to remove the random string part in the 'URI' field. Different URI has different random parts and those random parts are present differently in the URI. I'm willing to write regex to handle all the scenario in URI, but I want to replace them with '*' so that if I do a 'stats' or timechart, single URI.</P> <P>Please suggest.</P> Thu, 01 Aug 2019 09:51:05 GMT https://community.splunk.com/t5/Splunk-Search/Replace-random-string-in-a-field/m-p/423816#M121616 pjtbasu 2019-08-01T09:51:05Z https://community.splunk.com/t5/Splunk-Search/Replace-random-string-in-a-field/m-p/423817#M121617 <P>Greetings @pjtbasu,</P> <P>As you said, you'll want to regex them out. The beginning of the regex replace command for all of them would be <CODE>| eval URI = replace(URI,</CODE>. followed by:</P> <P><CODE>/account/#####/details</CODE> = <CODE>"(/account)/[^/]+(/details)", "\1\2")</CODE><BR /> <CODE>/public/account/#####/transactions</CODE> = <CODE>"(/public/account)/[^/]+(/transactions)", "\1\2")</CODE></P> <P>Here's a run-anywhere search for your sample data:</P> <PRE><CODE>| makeresults | eval URI="/account/100123445/details" | append [ | makeresults | eval URI="/public/account/XYZAASWDDSSSS/transactions" ] | eval URI = replace(URI, "(/account)/[^/]+(/details)", "\1\2") | eval URI = replace(URI, "(/public/account)/[^/]+(/transactions)", "\1\2") </CODE></PRE> Thu, 01 Aug 2019 14:22:39 GMT https://community.splunk.com/t5/Splunk-Search/Replace-random-string-in-a-field/m-p/423817#M121617 jacobpevans 2019-08-01T14:22:39Z