Solved: How to use regex to replace string?

knalla · ‎05-12-2019

Hi,

I have the below urls. How can I use the regex to remove the tokens from urls? Looking to remove data between /interactions/ and result_data.

output needed:

burwell · ‎05-12-2019

Similar to what sduff wrote but more generalized to just remove everything between the last slashes (/)

| rex field=url "(?<part1>.+\/).+\/(?<part2>.+)"
| eval url=part1+part2

woodcock · ‎05-12-2019

Like this:

... rex field=url mode=sed "s%/interactions/.*/result_data%/interactions/result_data%"

burwell · ‎05-12-2019

Similar to what sduff wrote but more generalized to just remove everything between the last slashes (/)

| rex field=url "(?<part1>.+\/).+\/(?<part2>.+)"
| eval url=part1+part2

sduff_splunk · ‎05-12-2019

Are you looking to replace this as search time?

rex field=url "^(?<part1>.*/interactions)/.*/(?<part2>result_data)$" | eval url=part1."/".part2

If you are looking to do this at index time, you will need to use SEDCMD or transforms to replace the token (https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata ).
In props.conf,

SEDCMD-remove_tokens = s/interactions\/.*\/result-data/interactions\/result-data

How to use regex to replace string?