I want to replace scheduleendtime=...& with scheduleendtime=valueOf(difference) in Splunk output.
In Linux shell, this can be done using sed s/scheduleendtime=[^&]*/scheduleendtime=$difference/ . When I try using same command in splunk, I fail horribly. Splunk doesn't do variable replacement in sed rather every occurrence of "scheduleendtime=[^&]*" is replaced with "scheduleendtime=$difference" exact string.
... | eval difference = case(schedule_time_diff <= 4200,"<_1_hour", schedule_time_diff < 28800, "<_8_hours", schedule_time_diff < 172800, " <_2_days") | rex mode=sed s/scheduleendtime=[^&]*/scheduleendtime=$difference/
I used sed because I am comfortable with it. If you think another command works better in this scenario, please let me know.
... View more