Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Dev
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Rex Field=All Fields mode=sed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tuanledang1120
Engager
07-04-2016
09:29 PM
Hi,
I'm trying to do a sed (replacing comma with _) on all fields, instead of having to specify which field I want to do the sed command on. Is that possible?
I tried to do field=*, but that did not work.
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
07-05-2016
05:32 AM
Alternatively you could use foreach:
| foreach * [eval <<FIELD>>=replace(<<FIELD>>, ",", "_" )]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
07-05-2016
06:46 AM
If you like, you can take it to props.conf.
We do the following to remove spaces -
# :" kkkki " -- remove spaces
SEDCMD-trim-ws1 = s/(:\")(\s+)?(\w+)(\s+)?(\")/\1\3\5/g
So, it's a sed command at the props.conf level.
In your case, the following should work -
SEDCMD-replace = s/,/_/g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
07-05-2016
05:32 AM
Alternatively you could use foreach:
| foreach * [eval <<FIELD>>=replace(<<FIELD>>, ",", "_" )]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tuanledang1120
Engager
07-05-2016
10:50 AM
This works! Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-05-2016
04:44 AM
Try field=_raw OR you don't need to specify a field. You could just do rex mode=sed "your regex"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tuanledang1120
Engager
07-05-2016
10:41 AM
I tried this but it didn't work.
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
