Solved: How to search for part of a string matching a cert...

0range · ‎09-01-2015

Hello everyone.

I need to substitute text "id" in text fields where I have ids now: like 123123123, 312asda-adas2 and so one.

For example, I need these transformations:
/bar/1233131/foo -> /bar/id/foo
/bar/12313 -> /bar/id
/foo/a2b-b2a/bar -> /foo/id/bar

How can I do it in Splunk?

richgalloway · ‎09-01-2015

Try this:

... | rex field=text mode=sed "s/(\/.*?\/)([^\/]*)($|\/.*)/\1id\3/" | ...

---
If this reply helps you, Karma would be appreciated.

jkat54 · ‎09-01-2015

Is the ID you're looking to substitute always just two directories deep? Or can it be 3, 4, 5+ sub-directories deep?

0range · ‎09-02-2015

In general, it can be at any level

richgalloway · ‎09-02-2015

If the ID can be at any level, how is it distinguished from the rest of the file path?

---
If this reply helps you, Karma would be appreciated.

0range · ‎10-07-2015

It's numeric or alfa-numberic with special structure

richgalloway · ‎09-01-2015

Try this:

... | rex field=text mode=sed "s/(\/.*?\/)([^\/]*)($|\/.*)/\1id\3/" | ...

---
If this reply helps you, Karma would be appreciated.

0range · ‎10-07-2015

| rex field=operation mode=sed "s/([0-9a-z]+\-)+[0-9a-z]+/id/"

Works fine:) thank you!

How to search for part of a string matching a certain regex for an ID in a text field and replace it with "id"?