Splunk Search

replacing parts inside string

exocore123
Path Finder

I had a field of this value

nameSpaces = ["url1"] 
nameSpaces = ["url1", "url2"]

I got rex to change ["url1", "url2"] into "url1, url2"
However, I am trying to change url1 to a label1, and url2 to label2, is there a way I can change it so the outcome from
"url1, url2" to "label1, label2"

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

your current search giving field nameSpaces
| rex field=nameSpaces mode=sed "s/url/label/g"

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

your current search giving field nameSpaces
| rex field=nameSpaces mode=sed "s/url/label/g"

exocore123
Path Finder

Perfect! what about if I had url1 and url3, and they're both the same, can I somehow condense it to rex field=nameSpaces mode=sed "s/url1 | url3/label/g" as well as multiple fields?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You could do like this

...| rex field=nameSpaces mode=sed "s/(ur1|url3)/label/g"
0 Karma

exocore123
Path Finder

Thanks! What about field=nameSpaces|nameSpaces2 mode=sed "s/(ur1|url3)/label/g"? Something similar? I tried that and did not work

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can't specify multiple fields in field attribute of rex command. You can either run rex multiple time for each nameSpace field, or use foreach command like this

... | foreach nameSpaces* [rex field="<<FIELD>>" mode=sed "s/(url1|url3)/label/g" ]
0 Karma

exocore123
Path Finder

well technically my nameSpaces are two different fields (name wise), so I guess I am going to have to make duplicate rex lines then, maybe possibly rename?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I accidentally added a space after nameSpace in above foreach command. I'm using * as wildcard so any field which starts with nameSpace will get that replacement.

And yes, other option would be to add multiple rex commands for each nameSpaceN field.

0 Karma

exocore123
Path Finder

I got an "Unencoded <" error when using foreach nameSpaces* [rex field="<<FIELD>>" mode=sed "s/(url1|url3)/label/g" ]

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you trying to run it from dashboard?

0 Karma

exocore123
Path Finder

Yeah, in my query on dashboard

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Guessing you're updating the dashboard xml directly, use the foreach like this

...|  foreach nameSpaces* [rex field="&lt;&lt;FIELD&gt;&gt;" mode=sed "s/(url1|url3)/label/g" ]
0 Karma

exocore123
Path Finder

I saw I can use rex sed mode, but I am a bit confused on mapping the string. Originally I used spath and then replace for the labels, but I noticed they showed up as single records, and messed up the total count for the logs, so I am trying to maintain the proper length of the array. I was thinking rex mode=sed "s/url1/label1"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...