I did it using rex in sed mode. Suppose you have an index with some paths having URIs such as /service/devices/5302AFDCE0EA/operation , e.g. of access logs containing:
127.0.0.1 - - [26/Sep/2014:18:01:07 +0200] "GET /service/devices/5302AFDCE0EA/operation HTTP/1.1" 200 112719 7085350
You can use rex to collapse all the URIs containing a unique device ID into a URI value /service/devices/${deviceId}/operation like this:
index="web-logs" earliest=-30m latest=now | rex field=uri mode=sed "s/\/devices\/\\w+\//\/devices\/${deviceId}\//g"
Now you can group events by uri and you won't have a long tail of unique values clumped under "OTHER". You can chain multiple | rex ... commands to your SPL to process more URI patterns.
... View more