Splunk's | rex mode=sed equivalent in Sumo

Follow

Antony Bowesman

• October 23, 2018 01:30

I have numerous fields that contain poorly defined data. With Splunk I would typically just do something like

| rex field=x mode=sed "s/\d{2,}/ID/g"

to change all 2+ digits in a field to the text 'ID'.

This type of construct is useful, for example, in stripping out numbers in URLs so that one can do analysis on URL families without having to know in advance what sort of paths I may see in URLs.

How do I do this in data cleanup in Sumo Logic.

parse doesn't seem to be able to do the job

 

0

• Official comment

  

  Ryan Johnson

  • October 23, 2018 01:48

  Hi Antony,

  I have some good news! We recently released regular expression support in our replace operator which can do exactly what you've detailed. Give the following a try:

  | replace (x, /d{2,}/, "ID") AS x

  More details can be found in our online documentation here (LINK)

  I hope this helps!

  Comment actions Permalink

Please sign in to leave a comment.