Solved: rex commands using sed in props.conf on a field

rdownie · ‎01-24-2014

Is there a way to use a rex command with mode=sed against a specific field in a config file (props.conf)??
I understand how to use the SEDCMD in the props but that pre-processes and only appears to go against _raw (since the fields wouldn't be defined yet). Is there a way to do the following:
rex mode=sed field=a "s/this/that/g"
via config files?? Preferably at search time?
Thanks,
-Bob

martin_mueller · ‎01-24-2014

You can do something like this in props.conf to define a calculated field at search time:

EVAL-foo = replace(a, "this", "that")

Note, field a cannot come from a lookup because that's looked up too late, see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for reference.

View solution in original post

martin_mueller · ‎01-24-2014

You can do something like this in props.conf to define a calculated field at search time:

EVAL-foo = replace(a, "this", "that")

Note, field a cannot come from a lookup because that's looked up too late, see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for reference.

rex commands using sed in props.conf on a field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation