Skip to content
Legacy docs for Tenzir v5.x. For the latest Tenzir v6 series, visit docs.tenzir.com. Migrating from v5? Read the Tenzir v6 migration guide.

replace

Replaces all occurrences of a value with another value.

replace [path:field...], what=any, with=any

Description

Section titled “Description”

The replace operator scans all fields of each input event and replaces every occurrence of a value equal to what with the value specified by with.

path: field... (optional)

Section titled “path: field... (optional)”

An optional set of paths to restrict replacements to.

what: any

Section titled “what: any”

The value to search for and replace.

with: any

Section titled “with: any”

The value to replace in place of what.

Examples

Section titled “Examples”

Replace all occurrences of 42 with null

Section titled “Replace all occurrences of 42 with null”
from {
  count: 42,
  data: {value: 42, other: 100},
  list: [42, 24, 42]
}
replace what=42, with=null
{
  count: null,
  data: {value: null, other: 100},
  list: [42, 24, 42]
}

Replace only within specific fields

Section titled “Replace only within specific fields”
from {
  count: 42,
  data: {value: 42, other: 100},
}
replace data, what=42, with=null
{
  count: 42,
  data: {value: null, other: 100},
}

Replace a specific IP address with a redacted value

Section titled “Replace a specific IP address with a redacted value”
from {
  src_ip: 192.168.1.1,
  dst_ip: 10.0.0.1,
  metadata: {source: 192.168.1.1}
}
replace what=192.168.1.1, with="REDACTED"
{
  src_ip: "REDACTED",
  dst_ip: 10.0.0.1,
  metadata: {
    source: "REDACTED",
  },
}

See Also

Section titled “See Also”

Last updated: