Replaces each substring of the specified fields value that matches the given regular expression with the given replacement. LogScale uses JitRex which closely follows the syntax of re2j regular expressions, which has a syntax very close to Java's regular expressions. Check out LogScale Regular Expression Syntax.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
as | string | optional[a] | input field | Specifies the field to store the replaced string as. |
field | string | optional[a] | @rawstring | Specifies the field to run the replacement on. |
flags | string | optional[a] | m | Specifies other regex flags. |
| Values | ||||
d | Period (.) includes newline characters | |||
i | Ignore case for matched values | |||
m | Multi-line parsing of regular expressions | |||
regex[b] | string | required | The regular expression to match. | |
replacement | string | optional[a] | "" | The string to substitute for each match (same as with). |
with | string | optional[a] | "" | The string to substitute for each match. |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
regexcan be omitted; the following forms of this function are equivalent:logscale Syntaxreplace("value")and:
logscale Syntaxreplace(regex="value")These examples show basic structure only.
replace()Examples
Click next to an example below to get the full details.
Get Integer Part of Number
Get the integer part of a number using the
regex() function and regex capturing groups
Query
regex("(?<b>\\d+)\\..*",field=a)Introduction
In this example, regex pattern matching with a named capturing group is used to look at a filename and find something after the backslash, then store it in a new field named b, leaving the original field a unchanged.
See also alternative method mentioned under the summary.
Step-by-Step
Starting with the source repository events.
- logscale
regex("(?<b>\\d+)\\..*",field=a)Looks for a sequence of characters in a capturing group and replaces the character with a digit (number): \\ backslash (\) \d+ one or more digits \\ backslash (\) . any character .* zero or more characters. If the sequence of characters in an event looks like this
\folder58\instead of\folder58\a, then there is no filename as nothing comes after the\. Event Result set.
Summary and Results
The query with regex pattern matching and named capturing group is used to get the integer part of a number, storing the replacement (the matched value) automatically in a new field named b. This is useful when searching for specific filenames.
The query using the regex() function is primarily
used for pattern matching and extraction as regex is generally very
concise for simple extraction tasks.
There is another way of achieving the same end result using the
replace() function in a query like this:
replace("(\\d+)\\..*", with="$1", field=a,
as=b). This query uses the replace function with numbered
references to perform substitution, whereas the first one uses regex
pattern matching with a named capture group.
The query using replace() captures digits before
the decimal point in an unnamed group, and explicitly creates a new
field b with the result (\\d+).
This query using the replace() function is more
used for string manipulation and transformation in a replacement
operation.
Replace Word or Substring With Another
Replace a word or substring with another in an event set using the
replace() function with a regular expression
Query
replace(regex=propperties, with=properties)Introduction
In this example, the replace() function is
used to correct a spelling mistake.
Step-by-Step
Starting with the source repository events.
- logscale
replace(regex=propperties, with=properties)Replaces the word
proppertieswith the wordproperties. Event Result set.
Summary and Results
The query is used to correct spelling mistakes in an event set. Changing words or other substrings like this with a regular expression is useful in many situations, where it is necessary to make quick changes of field values.
Truncate a String or Message
Truncate a string or message to exaxt 100 characters using
replace() function and regex capturing groups
Query
replace("^(.{100}).*", with="$1", field=message, as="truncated_message")Introduction
In this example, the replace() function together
with regex capturing group, is used to truncate a string, chop of last
part of a message, to only show the first 100
characters, replace the last character with a digit (number) at the end
of the line. and then store the truncated string in the new field
truncated_message, leaving the
field message untouched.
Step-by-Step
Starting with the source repository events.
- logscale
replace("^(.{100}).*", with="$1", field=message, as="truncated_message")Captures group that matches exactly 100 characters of any type starting from the beginning of the line and replaces the last character at the end of the truncated string with a digit, then returns the truncated version in a new field named truncated_message. The original message field remains unchanged.
with="$1"means that it replaces the entire match with the defined number of characters, in this case 100 characters. Event Result set.
Summary and Results
The query is used to truncate strings.
Truncation can, for example, be used to speed up download times and complete searches faster. In file systems, the truncate operation is used to reduce the size of a file by removing data from the end. This can be helpful when you need to reclaim storage space or when dealing with log files that need to be periodically truncated.
Another advantage of truncation is, that it allows you to search for a word that could have multiple endings. This way it will broaden the results and look for variations of words.
Truncation of numbers is also useful to shorten digits past a certain point in the number.