Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Dev
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Rex Field=All Fields mode=sed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tuanledang1120
Engager
07-04-2016
09:29 PM
Hi,
I'm trying to do a sed (replacing comma with _) on all fields, instead of having to specify which field I want to do the sed command on. Is that possible?
I tried to do field=*, but that did not work.
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
07-05-2016
05:32 AM
Alternatively you could use foreach:
| foreach * [eval <<FIELD>>=replace(<<FIELD>>, ",", "_" )]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
07-05-2016
06:46 AM
If you like, you can take it to props.conf.
We do the following to remove spaces -
# :" kkkki " -- remove spaces
SEDCMD-trim-ws1 = s/(:\")(\s+)?(\w+)(\s+)?(\")/\1\3\5/g
So, it's a sed command at the props.conf level.
In your case, the following should work -
SEDCMD-replace = s/,/_/g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
07-05-2016
05:32 AM
Alternatively you could use foreach:
| foreach * [eval <<FIELD>>=replace(<<FIELD>>, ",", "_" )]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tuanledang1120
Engager
07-05-2016
10:50 AM
This works! Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-05-2016
04:44 AM
Try field=_raw OR you don't need to specify a field. You could just do rex mode=sed "your regex"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tuanledang1120
Engager
07-05-2016
10:41 AM
I tried this but it didn't work.
Get Updates on the Splunk Community!
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Shape the Future of Splunk: Join the Product Research Lab!
Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...
