https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605168#M210457 <P>Hello,&nbsp;</P> <P>I have several events in the _raw field that add a unique identification number. I would like to replace these with something standard to aggregate counts on.&nbsp;</P> <P>Example Data:</P> <P>fi/transaction/card/purchase/tx_2994882028948/refund</P> <P>fi/transaction/card/purchase/tx_3920496893002/void</P> <P>fi/transaction/card/purchase/tx_2930540482198/refund</P> <P>&nbsp;</P> <P>I'd like these all to read:&nbsp;</P> <P>fi/transaction/card/purchase/trans/refund</P> <P>fi/transaction/card/purchase/trans/void</P> <P>fi/transaction/card/purchase/trans/refund</P> <P>&nbsp;</P> <P>So replace the unique identifier, but maintain the verbiage at the end.&nbsp;</P> <P>I've tried a few of the other methods noted in other threads, but to no avail. Some don't work at all, some run, but don't replace the values.</P> <P>Thanks!!</P> Mon, 11 Jul 2022 16:41:56 GMT mcscjlf 2022-07-11T16:41:56Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605168#M210457 <P>Hello,&nbsp;</P> <P>I have several events in the _raw field that add a unique identification number. I would like to replace these with something standard to aggregate counts on.&nbsp;</P> <P>Example Data:</P> <P>fi/transaction/card/purchase/tx_2994882028948/refund</P> <P>fi/transaction/card/purchase/tx_3920496893002/void</P> <P>fi/transaction/card/purchase/tx_2930540482198/refund</P> <P>&nbsp;</P> <P>I'd like these all to read:&nbsp;</P> <P>fi/transaction/card/purchase/trans/refund</P> <P>fi/transaction/card/purchase/trans/void</P> <P>fi/transaction/card/purchase/trans/refund</P> <P>&nbsp;</P> <P>So replace the unique identifier, but maintain the verbiage at the end.&nbsp;</P> <P>I've tried a few of the other methods noted in other threads, but to no avail. Some don't work at all, some run, but don't replace the values.</P> <P>Thanks!!</P> Mon, 11 Jul 2022 16:41:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605168#M210457 mcscjlf 2022-07-11T16:41:56Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605173#M210459 <P>If your unique identification number match a common pattern, then you can you rex in sed mode</P><LI-CODE lang="markup">| rex mode=sed "s/\/tx_\d+\/\/trans\//g"</LI-CODE><P>&nbsp;</P> Mon, 11 Jul 2022 15:48:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605173#M210459 ITWhisperer 2022-07-11T15:48:14Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605174#M210460 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247555">@mcscjlf</a>&nbsp;,<BR />You could try something like that (assuming that you want to see this data in search-time):</P><LI-CODE lang="markup">| rex mode=sed field=_raw "s/(\S+)(tx_\S+)(\/\S+)/\1trans\3/g"</LI-CODE><P>&nbsp;</P><P>You can change the&nbsp;<STRONG>field=_raw&nbsp;</STRONG>to your specific field, if it is being extracted already in a field.</P> Mon, 11 Jul 2022 15:49:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605174#M210460 danielcj 2022-07-11T15:49:36Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605314#M210490 <P>Thanks for the suggestions! Unfortunately, neither worked. I am trying to change this data in the search and only for the search results, I don't want to permanently change the underlying data. Perhaps my other search criteria is affecting the results with the solutions provided.&nbsp;</P><P>Search Criteria:</P><P>host="Example"&nbsp; sourcetype=Hexflag2&nbsp; /fi/transaction/* | rex "POST (?&lt;transact&gt;/S+)" | stats county by transact</P><P>This returns the example data below, I'm just hoping for a way to condense all of the unique values to something I can rollup into a usage count.</P> Tue, 12 Jul 2022 16:35:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605314#M210490 mcscjlf 2022-07-12T16:35:06Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605317#M210491 <P>Firstly, rex mode=sed doesn't change the underlying data permanently, it just modifies the events in the event pipeline.</P><P>It looks like I missed a slash out - try this</P><LI-CODE lang="markup">host="Example" sourcetype=Hexflag2 /fi/transaction/* | rex mode=sed "s/\/tx_\d+\//\/trans\//g" | rex "POST (?&lt;transact&gt;/\S+)" | stats count by transact</LI-CODE> Tue, 12 Jul 2022 17:07:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-Unique-Values/m-p/605317#M210491 ITWhisperer 2022-07-12T17:07:17Z