Replaces all occurrences of a value with another value.
replace [path:field...], what=any, with=anyDescription
Section titled “Description”The replace operator scans all fields of each input event and replaces every
occurrence of a value equal to what with the value specified by with.
path: field... (optional)
Section titled “path: field... (optional)”An optional set of paths to restrict replacements to.
what: any
Section titled “what: any”The value to search for and replace.
with: any
Section titled “with: any”The value to replace in place of what.
Examples
Section titled “Examples”Replace all occurrences of 42 with null
Section titled “Replace all occurrences of 42 with null”from { count: 42, data: {value: 42, other: 100}, list: [42, 24, 42]}replace what=42, with=null{ count: null, data: {value: null, other: 100}, list: [42, 24, 42]}Replace only within specific fields
Section titled “Replace only within specific fields”from { count: 42, data: {value: 42, other: 100},}replace data, what=42, with=null{ count: 42, data: {value: null, other: 100},}Replace a specific IP address with a redacted value
Section titled “Replace a specific IP address with a redacted value”from { src_ip: 192.168.1.1, dst_ip: 10.0.0.1, metadata: {source: 192.168.1.1}}replace what=192.168.1.1, with="REDACTED"{ src_ip: "REDACTED", dst_ip: 10.0.0.1, metadata: { source: "REDACTED", },}