How do I use the replace operator on multiple strings within one field?

Comments

6 comments

  • Avatar
    Kevin Keech2

    You will need to do this with multiple replace operations. For example:

    | replace(field, "5","7") as field

    | replace(field, "4","2") as field

    0
    Comment actions Permalink
  • Avatar
    James Witt

    When performing that operation, only the last Replace command is acknowledged as if the Replace operators are overwriting each other. It does work to an extent when each command is designated its own unique output field, but that is just a mess and not very useful.

    0
    Comment actions Permalink
  • Avatar
    Kevin Keech2

    That should not be the case. Can you provide the operations you are running and a sample of the original field value?

    0
    Comment actions Permalink
  • Avatar
    James Witt

    _collector=Windows_Collector_Test

    _sourceName=Application

    |timeslice 1h

    | parse "SourceName = \"*\";" as Source | parse "Type = \"*\";" as Level | parse "EventCode = *;" as Event_Code

    |replace(event_code, "1073743528","1704") as event_id

    |replace(event_code,"1073758208","16384") as event_id

    |replace(event_code,"1073742726","902") as event_id

    |replace(event_code,"1073742890","1066") as event_id

    |replace(event_code,"1073742724","900") as event_id

    |replace(event_code,"1073750833","9009") as event_id

    |replace(event_code,"1073742727","903") as event_id

    |replace(event_code,"1073742827","1003") as event_id

    |fields - event_code

    //|count by level, _timeslice

    //|transpose row _timeslice column level

    |count by Event_id

     

    That is my full search query, and the 1073742827 to 1003 replacement is the only replace operator to work.

    0
    Comment actions Permalink
  • Avatar
    Kevin Keech2

    If the search string is not found, the source string is returned intact in the field. Because of this, with each subsequent attempt to do a replace the event_id is getting overwritten with the event_code, since that code no longer matches the string to replace.

    Lets give this query a try. This sets the initial event_id to match the event_code and then does the replace on the event_id instead. This way the event_id will always get set with the match and then the replaced value is passed back into the field with any subsequent operations that do not match.

    _sourceName=Application

    |timeslice 1h

    | parse "SourceName = \"*\";" as Source | parse "Type = \"*\";" as Level | parse "EventCode = *;" as Event_Code

    | event_code as event_id

    |replace(event_id, "1073743528","1704") as event_id

    |replace(event_id,"1073758208","16384") as event_id

    |replace(event_id,"1073742726","902") as event_id

    |replace(event_id,"1073742890","1066") as event_id

    |replace(event_id,"1073742724","900") as event_id

    |replace(event_id,"1073750833","9009") as event_id

    |replace(event_id,"1073742727","903") as event_id

    |replace(event_id,"1073742827","1003") as event_id

    |fields - event_code

    //|count by level, _timeslice

    //|transpose row _timeslice column level

    |count by event_id

    0
    Comment actions Permalink
  • Avatar
    James Witt

    Thank you, that helps

    0
    Comment actions Permalink

Please sign in to leave a comment.