Source: socprime.com – Author: John Stevens
[post-views]
January 02, 2025 · 1 min read
Sometimes when working with fields in SPL, it can be useful to search for and replace parts of text found in the field. Some reasons for doing this might be:
– removing white space to reduce the size of the field
– replacing field separators with characters that look nicer
– rearranging values in a field in an order that is more appropriate (displaying names as first, last or last, first)
To replace text in a field, use the rex in sed mode using this syntax
| rex mode=sed field= "s///g" Was this article helpful?
Like and share it with your peers.
Related Posts
Original Post URL: https://socprime.com/blog/search-and-replace-text-in-spl-fields-with-rex/
Category & Tags: Blog,Knowledge Bits,Splunk – Blog,Knowledge Bits,Splunk
Views: 2
