Solved: Rex Field=All Fields mode=sed

tuanledang1120 · ‎07-04-2016

Hi,

I'm trying to do a sed (replacing comma with _) on all fields, instead of having to specify which field I want to do the sed command on. Is that possible?

I tried to do field=*, but that did not work.

Thanks.

javiergn · ‎07-05-2016

Alternatively you could use foreach:

| foreach * [eval <<FIELD>>=replace(<<FIELD>>, ",", "_" )]

View solution in original post

ddrillic · ‎07-05-2016

If you like, you can take it to props.conf.

We do the following to remove spaces -

# :"   kkkki    " -- remove spaces
SEDCMD-trim-ws1 = s/(:\")(\s+)?(\w+)(\s+)?(\")/\1\3\5/g

So, it's a sed command at the props.conf level.

In your case, the following should work -

SEDCMD-replace = s/,/_/g

javiergn · ‎07-05-2016

Alternatively you could use foreach:

| foreach * [eval <<FIELD>>=replace(<<FIELD>>, ",", "_" )]

tuanledang1120 · ‎07-05-2016

This works! Thanks a lot!

sundareshr · ‎07-05-2016

Try field=_raw OR you don't need to specify a field. You could just do rex mode=sed "your regex"

tuanledang1120 · ‎07-05-2016

I tried this but it didn't work.

Rex Field=All Fields mode=sed

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation