How do I edit my rex field=UEI mode=sed syntax to ...

karthi2809 · ‎09-26-2017

As of now I am using:

rex field=URI mode=sed "s/=[^?]+/=xxx/g"

But its not working

/v1/mb/members/15d628b4-0d113-09b8ec770efd/option

/v1/mb/members/216570ce-c199-4ab9--c0cf3ddd404e/option

/v1/mb/members/36fbe9a8-882d-4a94-882561f81074/option

/v1/mb/members/4d573446-1d4f-483a-c5d64c33/option

/v1/mb/members/5cc2fa84-4b91-45bf-9c1/option

DalJeanis · ‎09-26-2017

Your current rex is telling the system to replace an =, followed by any number of things that are not ?, with xxx.

If you explain what you want it to do, then we can help you.

gokadroid · ‎09-26-2017

can you please post sample log entries and what do u want to extract/replace from those log entries.

sbbadri · ‎09-26-2017

rex field=URI mode=sed "s/[^?]+/xxx/g"

How do I edit my rex field=UEI mode=sed syntax to 'district' my sample URIs?

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25

Are you a member of the Splunk Community?

How do I edit my rex field=UEI mode=sed syntax to 'district' my sample URIs?

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25