Solved: Re: Removing all numbers from _raw message

cpeteman · ‎08-14-2013

I want regex to remove all numbers from _raw message. Right now I have the search

* |rex mode=sed "s/ \d{1,}//g" |table _raw

i.e.

Aug 14 20:34:01 hype56 kernel: ib0: join failed for ff12:401b:ffff:0000:0000:0000:ffff:ffff, status -22

becomes

Aug:34:01 hype56 kernel: ib0: join failed for ff12:401b:ffff:0000:0000:0000:ffff:ffff, status -

but I want it to be

Aug:: hype kernel: ib: join failed for ff:b:ffff::::ffff:ffff, status -

cpeteman · ‎08-14-2013

Well looks like the right answer was already sitting in front of me

  * |rex mode=sed "s/\d{1,}//g" |table _raw

Darn white space 😉

Note: One could also replace \d{1,} with \d+

cpeteman · ‎08-14-2013

Well looks like the right answer was already sitting in front of me

  * |rex mode=sed "s/\d{1,}//g" |table _raw

Darn white space 😉

Note: One could also replace \d{1,} with \d+

Removing all numbers from _raw message