Skip to main content
Sumo Logic

replace

The Replace Operator allows you to replace all instances of a specified string within a given field with another string. You might use to find all instances of a name and change it to a new name, or to replace punctuation in a field with different punctuation. This operator is useful anytime you need to rename something.

Syntax:

  • replace(sourceString, searchString, replaceString) as [fieldname]

Rules:

  • The Replace Operator requires assignment in the query with (as ... ).
  • If any of the inputs are Null, the output is Null.
  • If the searchString is not found, the sourceString is returned intact.
  • Regular expressions are not supported.
  • Please note that the string is case sensitive. 

Examples

Replace periods in a field with different punctuation.

To replace periods in a field with different punctuation, you could use the following query. (This query also uses the Fields operator to display only the required fields.)

error
| parse "[logger=*]" as logger
| replace(logger, ".","->") as logger_replace
| fields logger, logger_replace

which provides results like:

Remove underscores from a field to make it human readable.

If you had underscores in a field called moduleName, you could use a query such as:

... | replace(moduleName, "_", " ") as humanReadableModuleName

Replace periods in a phone number with dashes.

To replace periods in a phone number with dashes, you could use a query such as:

phone_num
| parse "[phone_num=*]" as phone_num
| replace(phone_num, ".", "-") as phone_num_dash

Rename a deployment’s abbreviation with a full name.

In this example, we have a field called “deploymentName” with values that are abbreviations for the different deployments in an environment, such as "apac-prod", "eu-prod", "us-prod", "us-dev". To replace the abbreviations with full titles for each deployment, you could use a query like this:

replace(deploymentName,"apac","Asia Pacific") as deploymentName
| replace(deploymentName,"eu","Europe") as deploymentName
| replace(deploymentName,"us","United States") as deploymentName
| replace(deploymentName,"prod","Production") as deploymentName
| replace(deploymentName,"dev","Development") as deploymentName

Use the Replace operator on multiple strings within one field.

For example, in multiple strings, to replace all number 5's with number 7's, and also replace all 4's with 2's, use multiple replace operations, as shown in the following query:

| replace(field, "5","7") as field
| replace(field, "4","2") as field

In this example, we set the initial event_id to match the event_code, and then do the replace operation on the event_id. This way, the event_id is always set with the match, and then the replaced value is passed back into the field with any subsequent operations that do not match.

_sourceName=Application
|timeslice 1h
| parse "SourceName = \"*\";" as Source 
| parse "Type = \"*\";" as Level 
| parse "EventCode = *;" as Event_Code
| event_code as event_id
|replace(event_id, "1073743528","1704") as event_id
|replace(event_id,"1073758208","16384") as event_id
|replace(event_id,"1073742726","902") as event_id
|replace(event_id,"1073742890","1066") as event_id
|replace(event_id,"1073742724","900") as event_id
|replace(event_id,"1073750833","9009") as event_id
|replace(event_id,"1073742727","903") as event_id
|replace(event_id,"1073742827","1003") as event_id
|fields - event_code
//|count by level, _timeslice
//|transpose row _timeslice column level
|count by event_id