Solved: Re: Replace a nested field

YatMan · ‎11-16-2022

Sample event

{ 
    durationMs:  83  
    properties:  { 
        url:  https://mywebsite/v1/organization/41547/buildings
    } 
   correlationId: e581d476-fa5f-4023-a53e-53d6e06734ae
}

I want to replace the ids into
https://mywebsite/v1/organization/{id}/buildings

I tried {base search string} | eval endpoint=replace(properties.url, "\d+", "{id}") | stats by endpoint
This return no result, but if I try other coorelationId field on the root level, {base search string} | eval endpoint=replace(coorelationId, "\d+", "{id}") | stats by endpoint

This return what I expected
endpoint | (other fields)
adb{id}f{id}-{id}fd{id}-{id}-a{id}b-{id}c{id}f{id}d | (other fields)
aea{id}e{id}c-fcdc-{id}-a{id}-{id}a{id}bfe{id}ee{id} | (other fields)

Why replace doesn't work on nested field?

ITWhisperer · ‎11-16-2022

Field names with dots in or other special characters need to be in single quotes. Try this

| eval endpoint=replace('properties.url', "\d+", "{id}")

View solution in original post

ITWhisperer · ‎11-16-2022

Field names with dots in or other special characters need to be in single quotes. Try this

| eval endpoint=replace('properties.url', "\d+", "{id}")

YatMan · ‎11-16-2022

this single quote solution works well. thank you.
It would be helpful if you guys can add an example in the document, thanks! https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace#Syntax

johnhuang · ‎11-16-2022

Splunk doesn't like fieldnames with special characters like periods.

| rename properties.url AS endpoint
| rex field=endpoint mode=sed "s/\/\d+\//\/{id}\//"

Why doesn't replace work on a nested field?

eval

Developer Spotlight with Paul Stout

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...