Splunk's | rex mode=sed equivalent in Sumo

Follow
Avatar
Antony Bowesman

I have numerous fields that contain poorly defined data. With Splunk I would typically just do something like

| rex field=x mode=sed "s/\d{2,}/ID/g"

to change all 2+ digits in a field to the text 'ID'.

This type of construct is useful, for example, in stripping out numbers in URLs so that one can do analysis on URL families without having to know in advance what sort of paths I may see in URLs.

How do I do this in data cleanup in Sumo Logic.

parse doesn't seem to be able to do the job

 

0

Comments

1 comment

Sort by Date Votes
  • Official comment
    Avatar
    Ryan Johnson

    Hi Antony,

    I have some good news! We recently released regular expression support in our replace operator which can do exactly what you've detailed. Give the following a try:

    | replace (x, /d{2,}/, "ID") AS x

    More details can be found in our online documentation here (LINK)

    I hope this helps!

    Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post