replace_pattern
Learn about the replace_pattern OTTL editor function.
less than a minute
The replace_pattern function is used to replace parts of a single string field within a specified target that matches a regex pattern.
Syntax: replace_pattern(target, regex, replacement, function, replacementFormat)
- Target: A path expression pointing to a telemetry field that is subject to pattern matching and substitution.
- Regex: A string denoting the regular expression pattern for finding matching substrings.
- Replacement: The string or path expression to a string telemetry field that will replace matching segments.
- Function: (Optional) An optional transformation function that is applied to the replacement string, such as hashing.
- ReplacementFormat: (Optional) Specifies the format for the replacement, requiring exactly one
%sformat specifier.
Input
{
"_type": "log",
"attributes": {
"decoded_body": "User's IP address: 192.168.1.45; Action: Login attempt.",
"ip_addresses": "192.168.1.45, 10.10.10.10, 172.16.0.1"
},
"body": "User's IP address: 192.168.1.45; Action: Login attempt.",
"resource": {...},
"timestamp": 1733438810208
}
Statement
replace_pattern(attributes["decoded_body"], "192\\.168\\.1\\.\\d+", "192.168.1.xxx")
See Understand Escaping Characters.
Output
{
"_type": "log",
"attributes": {
"decoded_body": "User's IP address: 192.168.1.xxx; Action: Login attempt.",
"ip_addresses": "192.168.1.45, 10.10.10.10, 172.16.0.1"
},
"body": "User's IP address: 192.168.1.45; Action: Login attempt.",
"resource": {...},
"timestamp": 1733438843817
}
In this example, the decoded_body field contains an IP address that is matched against the pattern "192\.168\.1\.\d+" and replaced with "192.168.1.xxx". The ip_addresses field remains unaffected.