Solved: How can I do a find/replace on the results found t...

dlespron · ‎01-06-2014

For instance, I have a log that returns many results and in between different fields I have a \x1 that I would like to replace with a space in order to make it more readable to the user. How can I tell splunk to find all the instances of \x1 and replace them with a space? Any input would be greatly appreciated!

Thanks!

somesoni2 · ‎01-06-2014

In the search query (search time)

<your base search> | rex mode=sed "s/x1/ /g"

Index time (props.conf)

[yoursourcetype]
SEDCMD-changex1 = s/x1/ /g

View solution in original post

somesoni2 · ‎01-06-2014

In the search query (search time)

<your base search> | rex mode=sed "s/x1/ /g"

Index time (props.conf)

[yoursourcetype]
SEDCMD-changex1 = s/x1/ /g

dlespron · ‎01-06-2014

done thanks!

somesoni2 · ‎01-06-2014

Glad it helped. Please mark the question answered if everything looks good.

dlespron · ‎01-06-2014

that works great, thanks!

richgalloway · ‎01-06-2014

Try '| rex mode=sed "s/x1/ /g"'.

---
If this reply helps you, Karma would be appreciated.

dlespron · ‎01-06-2014

awesome, that worked great! thanks so much for your help!

How can I do a find/replace on the results found to make them more readable?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes