Hi,
let's say we have a string with various tagged entries:
"This {field1} is {delete_this} the example {tagged_element}"
Is it possible to ignore all tagged elements, no matter how many of them exist? Here the result would be
"This is the example"
Thanks in advance
Heinz
Hello Heinz,
yes this is possible.
Where do you want to do this? before indexing?
Than you could do it in your props.conf with an regex like this example:
SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g
This replaces the last octet in an IP adress.
Or when you want to do it at searchtime you could do it in your Query like this
… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")
Output in both ways is 192.168.2.xxx
So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.
Hi,
a short follow up question regarding this topic 🙂
How to only keep the tagged elements?
Best regards
Heinz
Hello Heinz,
yes this is possible.
Where do you want to do this? before indexing?
Than you could do it in your props.conf with an regex like this example:
SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g
This replaces the last octet in an IP adress.
Or when you want to do it at searchtime you could do it in your Query like this
… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")
Output in both ways is 192.168.2.xxx
So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.
Thanks for your post. I would like to do it at search time. Unfortunately I'm not very familiar with regex to adjust the example to my needs
could you give me an example dataline? Than i could try it.
I created a testcase like this:
index=main| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| table field
It might not be the most beutiful regex but it works with your example...
index=_internal| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| eval field=replace(field, "{([^}]+)}|([\S])", "\2")
| table field
This works, thanks a lot!
I would assume something like {.*?}( |$)