https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476174#M133744 <P>I am not sure what is wrong but just do it another way, like this:</P> <PRE><CODE>| rex field=metrics_total mode=sed "s/Total:\s*//" </CODE></PRE> Thu, 07 Nov 2019 03:54:45 GMT woodcock 2019-11-07T03:54:45Z https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476171#M133741 <H3>Background</H3> <P>I have a log file where I have extracted some fields. I am trying to parse a field to get the numeric values it has using replace but it is not working and I don't understand why.</P> <H3>Problem</H3> <P>I have a long log file and one of the fields I extracted is called <CODE>metrics_total</CODE> and has the following format: <CODE>"Total: __decimal_number__"</CODE>, where decimal number is any floating point number. </P> <P>My objective is to create an average of this field, but because I have the string <CODE>"Total: "</CODE> the <CODE>avg</CODE> command fails. So I am trying to remove it using <CODE>replace</CODE>. However I am failing.</P> <H3>Query</H3> <P>This is how I am trying to use replace:</P> <P><CODE><BR /> host=host00 OR host01 endpoint=* http_method=* http_status=200 metrics_total=* | replace "Total: " with "" in metrics_total | table http_method endpoint metrics_total<BR /> </CODE></P> <P>Where <CODE>host</CODE>, <CODE>endpoint</CODE>, <CODE>http_method</CODE>, <CODE>http_status</CODE> and <CODE>metrics_total</CODE> are extracted fields.</P> <P>The issue here is that no matter what I do, nothing changes. This is what I get: </P> <P><CODE><BR /> GET /product/bananas Total: 0.087<BR /> GET /product/apples Total: 0.003<BR /> GET /cart/checkout Total: 0.005<BR /> </CODE></P> <P>And this is what I <EM>actually</EM> want to achieve:</P> <P><CODE><BR /> GET /product/bananas 0.087<BR /> GET /product/apples 0.003<BR /> GET /cart/checkout 0.005<BR /> </CODE></P> <P>Here I would get only the numbers instead of the whole <CODE>Total: 0.087</CODE> string.</P> <H3>Going further</H3> <P>Going even further I would really like to have this field computed into an average. As in, the <CODE>avg(metrics_total)</CODE>for each endpoint grouped by <CODE>http_method</CODE>.</P> <H3>Questions</H3> <OL> <LI>What is wrong in my usage of replace?</LI> <LI>How can I compute the average metric for each endpoint grouped by http_method?</LI> <LI>Is there an easier way to achieve my objective? (Am I complicating things too much?)</LI> </OL> Wed, 06 Nov 2019 13:00:04 GMT https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476171#M133741 pedroma 2019-11-06T13:00:04Z https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476172#M133742 <P>@pedroma,</P> <P>Try</P> <PRE><CODE>"Your search" |rex field=metrics_total "(?&lt;Total&gt;\d+.\d+)" |stats avg(Total) as avg_by_method by http_method </CODE></PRE> <P><CODE>replace</CODE> works well with full string replacements</P> Wed, 06 Nov 2019 13:17:41 GMT https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476172#M133742 renjith_nair 2019-11-06T13:17:41Z https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476173#M133743 <P>Thanks for the query! Could you explain me why my <CODE>replace</CODE> was incorrect and why using <CODE>rex</CODE> was better for my use case?</P> <P>I don't quite understand what you mean with "full string replacements".</P> Wed, 06 Nov 2019 15:15:39 GMT https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476173#M133743 pedroma 2019-11-06T15:15:39Z https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476174#M133744 <P>I am not sure what is wrong but just do it another way, like this:</P> <PRE><CODE>| rex field=metrics_total mode=sed "s/Total:\s*//" </CODE></PRE> Thu, 07 Nov 2019 03:54:45 GMT https://community.splunk.com/t5/Splunk-Search/Fix-replace-command/m-p/476174#M133744 woodcock 2019-11-07T03:54:45Z