Getting Data In

Can you rename strings within mv-fields

lmacneil76
Explorer

Id like to rename every instance of "dragDrop" to "stackDragDrop" from a multi-value field.

The search below just renames one instance. Any ideas on how to do this?

source="C:\\var\\regression_items\\*.xml" 
| rex "title=\"(?P<id>\d+)\"" 
| rex max_match=0 "(class=\"stack\").+(data-type=\")(?P<STACK>\w+)(\")"
| eval TEST=mvfilter(STACK = "dragDrop")
| eval selectionElements=case(TEST="dragDrop", "stackDragDrop") 
| table id selectionElements TEST
Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this

source="C:\\var\\regression_items\\*.xml" 
| rex "title=\"(?P<id>\d+)\"" 
| rex max_match=0 "(class=\"stack\").+(data-type=\")(?P<STACK>\w+)(\")"
| eval TEST=mvfilter(STACK="dragDrop") |eval selectionElements=TEST | replace dragDrop with stackDragDrop in selectionElements
| table id selectionElements TEST

View solution in original post

somesoni2
Revered Legend

Try this

source="C:\\var\\regression_items\\*.xml" 
| rex "title=\"(?P<id>\d+)\"" 
| rex max_match=0 "(class=\"stack\").+(data-type=\")(?P<STACK>\w+)(\")"
| eval TEST=mvfilter(STACK="dragDrop") |eval selectionElements=TEST | replace dragDrop with stackDragDrop in selectionElements
| table id selectionElements TEST

lmacneil76
Explorer

Perfect! I was missing replace. Thanks!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...