https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/515461#M144861 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163241">@brettcave</a>,</P><P>Legend has it that <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> is still looking for that upvote.</P> Fri, 21 Aug 2020 14:03:42 GMT GindiKhangura 2020-08-21T14:03:42Z https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/497667#M144857 <P>If I have an event that looks like this:</P> <PRE><CODE>META1 META2 {foo:bar,color:green,size:medium} some text ({client: x, ip: z}) </CODE></PRE> <P>And I want to use a single transforms to replace the values for <CODE>foo</CODE>, <CODE>color</CODE> and <CODE>size</CODE>, to produce logs like:</P> <PRE><CODE>META1 META2 {foo:###,color:###,size:###} some text ({client:x, ip:z}) </CODE></PRE> <P>I wanted to use the following in transforms, but it's only replacing the first field:</P> <PRE><CODE>REGEX=(?m)(META.* {)(foo|color|size):\w(}.*)$ FORMAT=$1###$3 </CODE></PRE> <P>It only masks the first value, how would I match multiple values?</P> <P>Sample log output</P> <PRE><CODE> META1 META2 {foo:###,color:green,size:medium some text ({client:x, ip:z}) </CODE></PRE> Wed, 29 Jan 2020 14:22:12 GMT https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/497667#M144857 brettcave 2020-01-29T14:22:12Z https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/497668#M144858 <P>Try adding <CODE>REPEAT_MATCH = true</CODE> to the transforms.conf stanza.</P> Wed, 29 Jan 2020 16:02:16 GMT https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/497668#M144858 richgalloway 2020-01-29T16:02:16Z https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/497669#M144859 <P>thanks @richgalloway , am testing this now.</P> Thu, 30 Jan 2020 10:09:40 GMT https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/497669#M144859 brettcave 2020-01-30T10:09:40Z https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/497670#M144860 <P>Still testing? If your problem is resolved, please accept the answer to help future readers.</P> Wed, 05 Feb 2020 13:43:16 GMT https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/497670#M144860 richgalloway 2020-02-05T13:43:16Z https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/515461#M144861 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163241">@brettcave</a>,</P><P>Legend has it that <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> is still looking for that upvote.</P> Fri, 21 Aug 2020 14:03:42 GMT https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/515461#M144861 GindiKhangura 2020-08-21T14:03:42Z https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/515468#M144862 <P>accepted answer.</P> Fri, 21 Aug 2020 14:06:56 GMT https://community.splunk.com/t5/Splunk-Search/Using-transforms-and-props-to-search-and-replace-multiple-fields/m-p/515468#M144862 brettcave 2020-08-21T14:06:56Z