Splunk Search

How to replace characters in string from field extraction?

Influencer

I have a field extraction as below which extracts a date into a field called my_date

EXTRACT-my_date = (?i)StopDateTimeLocal\W\W(?P.*?)\s 

The above extraction will give me values like '2014-07-31'

How can I change the extraction to replace '-' with '/' so that my values look like 2014/07/31 ?

0 Karma
1 Solution

Influencer

Since this is a search time field extraction, you can use replace function in your search. The other way is replace it during data ingestion. Using the SEDCMD in props.conf file.

I am not sure if it can be done along with EXTRACT-fieldname.

View solution in original post

Influencer

Since this is a search time field extraction, you can use replace function in your search. The other way is replace it during data ingestion. Using the SEDCMD in props.conf file.

I am not sure if it can be done along with EXTRACT-fieldname.

View solution in original post

SplunkTrust
SplunkTrust
0 Karma

Champion

I have not tried, but can i use a replace in the EVAL-foo for search time extraction @martin_mueller ? i need to replace the newline character in that field but no answers till now 😞

0 Karma

SplunkTrust
SplunkTrust

You can of course define a calculated field (EVAL-foo in props.conf) to avoid having to do the calculation in every search.

0 Karma

Influencer

Thank you. I just wanted to check if we can do it during search time extraction

0 Karma

SplunkTrust
SplunkTrust

Indeed, EXTRACT-foo doesn't do replacements. On top of replace() in search and SEDCMD-foo at index time you can also use strptime() and strftime() in search to parse your date and produce a different formatted string.