replace_all_matches

The replace_all_matches function is used to replace any matching string value within a map type field with a specified replacement string. It is particularly useful for anonymizing or reformatting structured data within log entries.

Syntax: replace_all_matches(target, pattern, replacement, Function, replacementFormat)

• Target: The target is a path expression to a map type field, indicating where the replacement should occur.
• Pattern: The pattern is a string using to identify strings for replacement.
• Replacement: The replacement is the string or path expression that will replace each match found.
• Function (Optional): An optional converter function applied to the replacement string, such as a hash function.
• ReplacementFormat (Optional): An optional string format that must contain exactly one %s specifier for formatted replacements.

Input

{
	"_type": "log",
	"attributes": {
		"action": "/user/1234/list/5678",
		"details": "User 1234 performed an operation on list 5678. (/user/1234/list/5678)",
		"url": "/user/1234/list/5678"
	},
	"body": "...",
	"resource": {...},
	"timestamp": 1733437963210
}

Statement

replace_all_matches(attributes, "/user/*/list/*", "/user/{userId}/list/{listId}")

Output

{
	"_type": "log",
	"attributes": {
		"action": "/user/{userId}/list/{listId}",
		"details": "User 1234 performed an operation on list 5678. (/user/1234/list/5678)",
		"url": "/user/{userId}/list/{listId}"
	},
	"body": "...",
	"resource": {...},
	"timestamp": 1733437980591
}

The function replaces user and list IDs in the url field and the action field using generalized placeholders, without altering other fields like details.