3

I'm parsing the request_uri from a log file:

_sourceName="/opt/zazma/var/logs/AuditRequest.log"
| parse "method=*, statusCode=*, requestURI=*," as method, status_code, request_uri
| count by method, request_uri, status_code
| sort by request_uri

The URI includes IDs and email addresses. I want to replace all existing IDs with '{Id}' or '*', and all existing emails with '{email}', but Sumo's REPLACE function doesn't support regex.

Is there any other way to replace the value in the URI?

diogo
  • 3,769
  • 1
  • 24
  • 30
Gene Zeiniss
  • 137
  • 12
  • This is an old question, but Sumo's Replace function now supports regex: `replace(, //, ) as ` https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/replace – James Daily May 25 '22 at 14:04

1 Answers1

2

You can match the start and end bits each side of the part you want to replace and join them back together later:

parse regex "(?<start>.*)(?<guid>[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}?)(?<end>.*?)$" nodrop | concat(start, "{id}", end) as result
Jim
  • 31
  • 4