How do I use the replace operator on multiple strings within one field?

Follow

James Witt

• May 11, 2015 19:28

For example, I want to replace all number 5's with number 7's, and also replace all 4's with 2's.

0

• 

  Kevin Sumo

  • May 11, 2015 21:03

  You will need to do this with multiple replace operations. For example:

  | replace(field, "5","7") as field
  
  | replace(field, "4","2") as field

  0

  Comment actions Permalink
• 

  James Witt

  • May 13, 2015 14:23

  When performing that operation, only the last Replace command is acknowledged as if the Replace operators are overwriting each other. It does work to an extent when each command is designated its own unique output field, but that is just a mess and not very useful.

  0

  Comment actions Permalink
• 

  Kevin Sumo

  • May 13, 2015 15:22

  That should not be the case. Can you provide the operations you are running and a sample of the original field value?

  0

  Comment actions Permalink
• 

  James Witt

  • May 13, 2015 18:20

  _collector=Windows_Collector_Test
  
  _sourceName=Application
  
  |timeslice 1h
  
  | parse "SourceName = \"*\";" as Source | parse "Type = \"*\";" as Level | parse "EventCode = *;" as Event_Code
  
  |replace(event_code, "1073743528","1704") as event_id
  
  |replace(event_code,"1073758208","16384") as event_id
  
  |replace(event_code,"1073742726","902") as event_id
  
  |replace(event_code,"1073742890","1066") as event_id
  
  |replace(event_code,"1073742724","900") as event_id
  
  |replace(event_code,"1073750833","9009") as event_id
  
  |replace(event_code,"1073742727","903") as event_id
  
  |replace(event_code,"1073742827","1003") as event_id
  
  |fields - event_code
  
  //|count by level, _timeslice
  
  //|transpose row _timeslice column level
  
  |count by Event_id

   

  That is my full search query, and the 1073742827 to 1003 replacement is the only replace operator to work.

  0

  Comment actions Permalink
• 

  Kevin Sumo

  • May 14, 2015 04:52

  If the search string is not found, the source string is returned intact in the field. Because of this, with each subsequent attempt to do a replace the event_id is getting overwritten with the event_code, since that code no longer matches the string to replace.

  Lets give this query a try. This sets the initial event_id to match the event_code and then does the replace on the event_id instead. This way the event_id will always get set with the match and then the replaced value is passed back into the field with any subsequent operations that do not match.

  _sourceName=Application
  
  |timeslice 1h
  
  | parse "SourceName = \"*\";" as Source | parse "Type = \"*\";" as Level | parse "EventCode = *;" as Event_Code
  
  | event_code as event_id
  
  |replace(event_id, "1073743528","1704") as event_id
  
  |replace(event_id,"1073758208","16384") as event_id
  
  |replace(event_id,"1073742726","902") as event_id
  
  |replace(event_id,"1073742890","1066") as event_id
  
  |replace(event_id,"1073742724","900") as event_id
  
  |replace(event_id,"1073750833","9009") as event_id
  
  |replace(event_id,"1073742727","903") as event_id
  
  |replace(event_id,"1073742827","1003") as event_id
  
  |fields - event_code
  
  //|count by level, _timeslice
  
  //|transpose row _timeslice column level
  
  |count by event_id

  0

  Comment actions Permalink
• 

  James Witt

  • May 14, 2015 14:58

  Thank you, that helps

  0

  Comment actions Permalink

Please sign in to leave a comment.