Solved: rex commands using sed in props.conf on a field

rdownie · ‎01-24-2014

Is there a way to use a rex command with mode=sed against a specific field in a config file (props.conf)??
I understand how to use the SEDCMD in the props but that pre-processes and only appears to go against _raw (since the fields wouldn't be defined yet). Is there a way to do the following:
rex mode=sed field=a "s/this/that/g"
via config files?? Preferably at search time?
Thanks,
-Bob

martin_mueller · ‎01-24-2014

You can do something like this in props.conf to define a calculated field at search time:

EVAL-foo = replace(a, "this", "that")

Note, field a cannot come from a lookup because that's looked up too late, see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for reference.

View solution in original post

martin_mueller · ‎01-24-2014

You can do something like this in props.conf to define a calculated field at search time:

EVAL-foo = replace(a, "this", "that")

Note, field a cannot come from a lookup because that's looked up too late, see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for reference.

rex commands using sed in props.conf on a field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!