Answer by warren for Alternative to 30+ `| rex field=path mode=sed…` in order to replace path parameters in urls

this sounds like a job for transforms.conf or maybe just to properly extract all those fields with props.conf.

If you’re waiting until search time to mask data, you’re still storing all of what you’re trying to mask

Lastly, eval myfield=replace(my_field,"regex","literal string") is almost always faster, in my experience, than rex mode=sed

Doc.Splunk references for eval, rex:

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eval
- https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#replace.28.26lt.3Bstr.26gt.3B.2C.26lt.3Bregex.26gt.3B.2C.26lt.3Breplacement.26gt.3B.29
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex

from User warren – Stack Overflow https://stackoverflow.com/questions/76682981/alternative-to-30-rex-field-path-mode-sed-in-order-to-replace-path-param/76687967#76687967
via IFTTT

merikebi

warrenmyers.com