replace_all_patterns
Learn about the replace_all_patterns OTTL editor function.
2 minute read
The replace_all_patterns function is used to substitute parts of all string values or keys within a map that conform to a specific regex pattern with a new string.
Syntax: replace_all_patterns(target, mode, regex, replacement, function, replacementFormat)
- Target: The path expression to a map type field which contains the data to be transformed.
- Mode: Specifies whether replacements are applied to the map’s key or value. Acceptable options are
keyorvalue. - Regex: The regular expression pattern that identifies what portions of the target should be replaced.
- Replacement: This is the new string that replaces matched segments and can reference matched groups using a specific syntax.
- Function: (Optional) An optional converter function that processes the replacement string.
- ReplacementFormat: (Optional) Specifies a formatting pattern for replacements including a
%splaceholder for the main replacement content.
Input
{
"_type": "log",
"attributes": {
"decoded_body": "User's IP address: 192.168.1.45; Action: Login attempt.",
"ip_addresses": "192.168.1.45, 10.10.10.10, 172.16.0.1"
},
"body": "User's IP address: 192.168.1.45; Action: Login attempt.",
"resource": {...},
"timestamp": 1733438978059
}
Statement
replace_all_patterns(attributes, "value", "192\\.168\\.1\\.\\d+", "192.168.1.xxx")
See Understand Escaping Characters.
Output
{
"_type": "log",
"attributes": {
"decoded_body": "User's IP address: 192.168.1.xxx; Action: Login attempt.",
"ip_addresses": "192.168.1.xxx, 10.10.10.10, 172.16.0.1"
},
"body": "User's IP address: 192.168.1.45; Action: Login attempt.",
"resource": {...},
"timestamp": 1733439002570
}
In this example, the attributes object contains fields decoded_body and ip_addresses whose values are matched against the pattern "192\.168\.1\.\d+", and the matches are replaced with "192.168.1.xxx", effectively anonymizing that segment in all string values of the map.