replace() Query Function

Replaces each substring of the specified fields value that matches the given regular expression with the given replacement. Humio uses JitRex which closely follows the syntax of re2j regular expressions, which has a syntax very close to Java’s regular expressions. Check out the syntax.

Parameters

Name

Type

Required

Default

Description

regex

string

Yes

The regular expression to match.

with

string

No

The string to substitute for each match (defaults to a pair of double-quotes).

replacement

string

No

The string to substitute for each match (same as with).

as

string

No

Specifies the field to store the replaced string as. Default is replacing the contents of the input field .

field

string

No

@rawstring

Specifies the field to run the replacement on. Default is running against @rawstring.

flags

string

No

m

Specifies other regex flags m is multi line, i is ignore case, and d means dot (.) includes newline.

The implied parameter is regex.

Examples

  • Correct a spelling mistake

    humio
    replace(regex=properties, with=properties)
    
  • Get the integer part of a number. This example uses regex capturing groups, and stores the replacement in the field b, leaving field a untouched. This is the same as regex("(?<b>\d+)\..*", field=a) using a named capture group.

    humio
    replace("(\d+)\..*", with="$1", field=a, as=b)
    
  • Truncate a message to 100 characters:

    humio
    replace("^(.{100}).*", with="$1", field=message, as="truncated_message")