Help with JSON regex replace

ballen1 · ‎06-29-2022

Command:

rex mode=sed "s/\"name":\s\"[^\"]+\"/"name":"###############"/g"

Regex seems to work fine in Regex101

However, I seem to continue to get this error:

Error in 'SearchParser': Missing a search command before '^'. Error at position '69' of search query rex mode=sed "s/\"c...{snipped} {errorcontext = n_id"\s\"[^\"]+\"/"co}'.

I'm trying to mask a json key:value pair. See below:

"name": "john doe" ----> "name": "######"

danielcj · ‎06-29-2022

Hello,

It is missing a \ after the name and before the ".

The correct one is:

| rex mode=sed "s/\"name\":\s\"[^\"]+\"/"name":"###############"/g"

ballen1 · ‎07-01-2022

Thank you for this. For some reason I had to add a few more \ to make this work. See below:

“s/\”name\”\:\”[^\”]+\”/\”name\":\"###############\"/g"

ballen1 · ‎06-30-2022

Hello,

Thank you for the reply. That removed that error. However, it still doesn't mask the "name" field in the search.

"name" still shows as:

"name": "john doe"

ballen1 · ‎06-30-2022

ah. I figured it out. I had to modify it like the following for it to replace properly:

“s/\”name\”\:\”[^\”]+\”/\”name\":\"###############\"/g"

This is using splunk cloud btw.

Help with JSON regex replace

regex

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Help with JSON regex replace

regex

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk