https://community.splunk.com/t5/Splunk-Search/sed-to-replace-a-string-after-a-match/m-p/515828#M144837 <P>Awesome!!. Thank you so much!</P> Mon, 24 Aug 2020 15:59:31 GMT anoopdi 2020-08-24T15:59:31Z https://community.splunk.com/t5/Splunk-Search/sed-to-replace-a-string-after-a-match/m-p/515806#M144828 <P>Is there a way I can substitute a string after a regular expression match? For example, i want to replace the IP address which appears after 'Chrome/'</P><P><SPAN class="t">70.31.171.12</SPAN> <SPAN class="t">-</SPAN> <SPAN class="t">admin</SPAN><SPAN> [</SPAN><SPAN class="t">24/Aug/2020:14:31:44.596</SPAN><SPAN> +</SPAN><SPAN class="t">0000</SPAN><SPAN>] "</SPAN><SPAN class="t">GET</SPAN> <SPAN class="t">/en-US/splunkd/__raw/services/search/shelper</SPAN><SPAN>?</SPAN><SPAN class="t">output_mode=json</SPAN><SPAN>&amp;</SPAN><SPAN class="t">snippet=true</SPAN><SPAN>&amp;</SPAN><SPAN class="t">snippetEmbedJS=false</SPAN><SPAN>&amp;</SPAN><SPAN class="t">namespace=search</SPAN><SPAN>&amp;</SPAN><SPAN class="t">search=search</SPAN><SPAN>+</SPAN><SPAN class="t">index</SPAN><SPAN>%3D</SPAN><SPAN class="t">_internal</SPAN><SPAN>+</SPAN><SPAN class="t">sourcetype</SPAN><SPAN>%3D</SPAN><SPAN class="t">splunkd_ui_access</SPAN><SPAN>+&amp;</SPAN><SPAN class="t">useTypeahead=true</SPAN><SPAN>&amp;</SPAN><SPAN class="t">showCommandHelp=true</SPAN><SPAN>&amp;</SPAN><SPAN class="t">showCommandHistory=true</SPAN><SPAN>&amp;</SPAN><SPAN class="t">showFieldInfo=false</SPAN><SPAN>&amp;</SPAN><SPAN class="t">_=1598275250371</SPAN> <SPAN class="t">HTTP/1.1</SPAN><SPAN>" </SPAN><SPAN class="t">200</SPAN> <SPAN class="t">5620</SPAN><SPAN> "</SPAN><SPAN class="t">-</SPAN><SPAN>" "</SPAN><SPAN class="t">Mozilla/5.0</SPAN><SPAN> (</SPAN><SPAN class="t">Windows</SPAN> <SPAN class="t">NT</SPAN> <SPAN class="t">10.0</SPAN><SPAN>; </SPAN><SPAN class="t">Win64</SPAN><SPAN>; </SPAN><SPAN class="t">x64</SPAN><SPAN>) </SPAN><SPAN class="t">AppleWebKit/537.36</SPAN><SPAN> (</SPAN><SPAN class="t">KHTML</SPAN><SPAN>, </SPAN><SPAN class="t">like</SPAN> <SPAN class="t">Gecko</SPAN><SPAN>) </SPAN><STRONG><SPAN class="t">Chrome/84.0.4147.125</SPAN></STRONG> <SPAN class="t">Safari/537.36</SPAN><SPAN>" </SPAN><SPAN class="t">-</SPAN> <SPAN class="t">e02845bc5c07fae3e33855fca82cc968</SPAN> <SPAN class="t">12ms</SPAN></P><P><SPAN class="t">I am able to use 'sed' to replace one more match of IP address but do not know how to replace a specific one.</SPAN></P><P><SPAN class="t">I want the event to look like this after the running sed,</SPAN></P><P><SPAN class="t">70.31.171.12 - admin<SPAN> [</SPAN>24/Aug/2020:14:31:44.596<SPAN> +</SPAN>0000<SPAN>] "</SPAN>GET /en-US/splunkd/__raw/services/search/shelper<SPAN>?</SPAN>output_mode=json<SPAN>&amp;</SPAN>snippet=true<SPAN>&amp;</SPAN>snippetEmbedJS=false<SPAN>&amp;</SPAN>namespace=search<SPAN>&amp;</SPAN>search=search<SPAN>+</SPAN>index<SPAN>%3D</SPAN>_internal<SPAN>+</SPAN>sourcetype<SPAN>%3D</SPAN>splunkd_ui_access<SPAN>+&amp;</SPAN>useTypeahead=true<SPAN>&amp;</SPAN>showCommandHelp=true<SPAN>&amp;</SPAN>showCommandHistory=true<SPAN>&amp;</SPAN>showFieldInfo=false<SPAN>&amp;</SPAN>_=1598275250371 HTTP/1.1<SPAN>" </SPAN>200 5620<SPAN> "</SPAN>-<SPAN>" "</SPAN>Mozilla/5.0<SPAN> (</SPAN>Windows NT 10.0<SPAN>; </SPAN>Win64<SPAN>; </SPAN>x64<SPAN>) </SPAN>AppleWebKit/537.36<SPAN> (</SPAN>KHTML<SPAN>, </SPAN>like Gecko<SPAN>) </SPAN><STRONG>Chrome/xxx.xxx.xxx.xxx</STRONG>&nbsp;Safari/537.36<SPAN>" </SPAN>- e02845bc5c07fae3e33855fca82cc968 12ms</SPAN></P> Mon, 24 Aug 2020 14:52:06 GMT https://community.splunk.com/t5/Splunk-Search/sed-to-replace-a-string-after-a-match/m-p/515806#M144828 anoopdi 2020-08-24T14:52:06Z https://community.splunk.com/t5/Splunk-Search/sed-to-replace-a-string-after-a-match/m-p/515822#M144835 <P>Hi</P><P>&nbsp;</P><LI-CODE lang="java">| rex field=_raw mode=sed "s#Chrome/(\d+\.\d+\.\d+\.\d+)#Chrome/xxxxxxx#"</LI-CODE><P>&nbsp;</P><P>Works with previous sample.</P><P><SPAN>r. Ismo&nbsp;</SPAN></P> Mon, 24 Aug 2020 15:47:12 GMT https://community.splunk.com/t5/Splunk-Search/sed-to-replace-a-string-after-a-match/m-p/515822#M144835 isoutamo 2020-08-24T15:47:12Z https://community.splunk.com/t5/Splunk-Search/sed-to-replace-a-string-after-a-match/m-p/515828#M144837 <P>Awesome!!. Thank you so much!</P> Mon, 24 Aug 2020 15:59:31 GMT https://community.splunk.com/t5/Splunk-Search/sed-to-replace-a-string-after-a-match/m-p/515828#M144837 anoopdi 2020-08-24T15:59:31Z