How to rex using sed rex command?

karthi2809 · ‎01-16-2018

How to rex using sed rex command?

index = main
| rex field=URI "^(?.+?)(\?|\z)"
|rex field=New_APIName mode=sed "s/\d+[a-zA-Z0-9*]/XXXX/g"
| stats count by New_APIName

I am getting output as

/v1/cp/members/XXXX/benefits/XXXXBG-XXXX-XXXX/benefitlist

/v1/cp/members/XXXX/benefits/XXXXBG-XXXX-XXXX-/excluded

/v1/cp/members/XXXX/benefits/XXXXUF-XXXX-XXXX-/benefitlist

/v1/cp/members/XXXX/benefits/XXXXUF-XXXX-XXXX-/excluded

/v1/cp/members/XXXX/benefits/XXXXUU-XXXX-XXXX-/benefitlist

/v1/cp/members/XXXX/benefits/XXXXUU-XXXX-XXXX-/excluded

/v1/cp/members/XXXX/benefits/XXXXXXXX-XXXX-XXXX-/benefitlist

/v1/cp/members/XXXX/benefits/XXXXXXXX-XXXX-XXXX-/excluded

Expected result:

/v1/cp/members/XXXX/benefits/XXXX/benefitlist

/v1/cp/members/XXXX/benefits/XXXX/excluded

horsefez · ‎01-16-2018

Hi,

try this one

| rex mode=sed field=<yourfield> "s/^(\/[^\/]*\/[^\/]*\/[^\/]*\/[^\/]*\/[^\/]*\/)[^\/]*(\/[^\/]*)/\1XXXX\2/g"

https://regex101.com/r/rwjLxP/1

493669 · ‎01-16-2018

Hi @karthi2809
Try below regex:

 <base search> | rex mode=sed field=New_APIName "s/(^\/\w+\/\w+\/\w+\/\w+\/\w+\/.{4})[^\/]+(\/\w+)/\1\2/"

brettcarroll · ‎01-16-2018

Most likely you have a problem with the regular expression.

What are the actual values of XXXX (letters, numbers)?

The regular expression you have is looking for 1 or more digits followed by 0 or more letters or numbers and replacing the matches with XXXX

regex101.com is a good online regex utility to help build regular expressions

How to rex using sed rex command?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...