Solved: Re: How to replace characters in string from field...

pradeepkumarg · ‎07-31-2014

I have a field extraction as below which extracts a date into a field called my_date

EXTRACT-my_date = (?i)StopDateTimeLocal\W\W(?P.*?)\s

The above extraction will give me values like '2014-07-31'

How can I change the extraction to replace '-' with '/' so that my values look like 2014/07/31 ?

strive · ‎07-31-2014

Since this is a search time field extraction, you can use replace function in your search. The other way is replace it during data ingestion. Using the SEDCMD in props.conf file.

I am not sure if it can be done along with EXTRACT-fieldname.

View solution in original post

strive · ‎07-31-2014

Since this is a search time field extraction, you can use replace function in your search. The other way is replace it during data ingestion. Using the SEDCMD in props.conf file.

I am not sure if it can be done along with EXTRACT-fieldname.

martin_mueller · ‎08-02-2014

Is this about http://answers.splunk.com/answers/146092/how-do-i-ignore-the-new-line-character-in-the-_raw-field?

linu1988 · ‎08-02-2014

I have not tried, but can i use a replace in the EVAL-foo for search time extraction @martin_mueller ? i need to replace the newline character in that field but no answers till now 😞

martin_mueller · ‎08-02-2014

You can of course define a calculated field (EVAL-foo in props.conf) to avoid having to do the calculation in every search.

pradeepkumarg · ‎08-01-2014

Thank you. I just wanted to check if we can do it during search time extraction

martin_mueller · ‎08-01-2014

Indeed, EXTRACT-foo doesn't do replacements. On top of replace() in search and SEDCMD-foo at index time you can also use strptime() and strftime() in search to parse your date and produce a different formatted string.

How to replace characters in string from field extraction?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life