使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
re.replace
re.replace(stringText, replaceRegex, replacementText)
说明
执行正则表达式替换。
此函数接受三个参数:
stringText
:原始字符串。
replaceRegex
:指示要搜索的模式的正则表达式。
replacementText
:要插入到每个匹配项中的文本。
返回源自原始 stringText
的新字符串,其中与 replaceRegex
中的模式匹配的所有子字符串都会替换为 replacementText
中的值。您可以在 replacementText
中使用反斜杠转义的数字(\1
至 \9
),将与 replaceRegex
模式中用英文括号括起来的对应组匹配的文本插入到 replacementText
中。使用 \0
可引用整个匹配文本。
该函数会替换非重叠的匹配项,并优先替换第一个找到的出现项。例如,re.replace("banana", "ana", "111")
会返回字符串“b111na”。
形参数据类型
STRING
、STRING
、STRING
返回类型
STRING
代码示例
示例 1
以下示例会捕获电子邮件地址中 @
符号后面的所有内容,将 com
替换为 org
,然后返回结果。请注意使用嵌套函数。
"email@google.org" = re.replace($e.network.email.from, "com", "org")
示例 2
以下示例在 replacementText
实参中使用反斜杠转义数字来引用 replaceRegex
模式的匹配项。
"test1.com.google" = re.replace(
$e.principal.hostname, // holds "test1.test2.google.com"
"test2\.([a-z]*)\.([a-z]*)",
"\\2.\\1" // \\1 holds "google", \\2 holds "com"
)
示例 3
在处理空字符串和 re.replace()
时,请注意以下情况:
使用空字符串作为 replaceRegex
:
// In the function call below, if $e.principal.hostname contains "name",
// the result is: 1n1a1m1e1, because an empty string is found next to
// every character in `stringText`.
re.replace($e.principal.hostname, "", "1")
如需替换空字符串,您可以使用 "^$"
作为 replaceRegex
:
// In the function call below, if $e.principal.hostname contains the empty
// string, "", the result is: "none".
re.replace($e.principal.hostname, "^$", "none")
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-29。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-07-29。"],[[["\u003cp\u003e\u003ccode\u003ere.replace\u003c/code\u003e is a function that performs regular expression replacement within a string.\u003c/p\u003e\n"],["\u003cp\u003eIt requires three string arguments: the original string, the regex pattern to match, and the replacement text.\u003c/p\u003e\n"],["\u003cp\u003eBackslash-escaped digits (\u003ccode\u003e\\1\u003c/code\u003e to \u003ccode\u003e\\9\u003c/code\u003e) can be used in the replacement text to insert text from captured groups in the regex pattern, with \u003ccode\u003e\\0\u003c/code\u003e representing the entire match.\u003c/p\u003e\n"],["\u003cp\u003eThe function prioritizes the first non-overlapping match found and replaces it, as seen in the "banana" example being changed to "b111na".\u003c/p\u003e\n"],["\u003cp\u003eUsing an empty string as the \u003ccode\u003ereplaceRegex\u003c/code\u003e will match next to every character, while \u003ccode\u003e"^$"\u003c/code\u003e is used to target and replace an empty string.\u003c/p\u003e\n"]]],[],null,["### re.replace\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) [Search](/chronicle/docs/investigation/udm-search) \n\n re.replace(stringText, replaceRegex, replacementText)\n\n#### Description\n\nPerforms a regular expression replacement.\n\nThis function takes three arguments:\n\n- `stringText`: the original string.\n- `replaceRegex`: the regular expression indicating the pattern to search for.\n- `replacementText`: The text to insert into each match.\n\nReturns a new string derived from the original `stringText`, where all\nsubstrings that match the pattern in `replaceRegex` are replaced with the value in\n`replacementText`. You can use backslash-escaped digits (`\\1` to `\\9`) within\n`replacementText` to insert text matching the corresponding parenthesized group\nin the `replaceRegex` pattern. Use `\\0` to refer to the entire matching text.\n\nThe function replaces non-overlapping matches and will prioritize replacing the\nfirst occurrence found. For example, `re.replace(\"banana\", \"ana\", \"111\")`\nreturns the string \"b111na\".\n\n#### Param data types\n\n`STRING`, `STRING`, `STRING`\n\n#### Return type\n\n`STRING`\n\n#### Code samples\n\n##### Example 1\n\nThis example captures everything after the `@` symbol in an email, replaces `com`\nwith `org`, and then returns the result. Notice the use of nested functions. \n\n \"email@google.org\" = re.replace($e.network.email.from, \"com\", \"org\")\n\n##### Example 2\n\nThis example uses backslash-escaped digits in the `replacementText` argument to\nreference matches to the `replaceRegex` pattern. \n\n \"test1.com.google\" = re.replace(\n $e.principal.hostname, // holds \"test1.test2.google.com\"\n \"test2\\.([a-z]*)\\.([a-z]*)\",\n \"\\\\2.\\\\1\" // \\\\1 holds \"google\", \\\\2 holds \"com\"\n )\n\n##### Example 3\n\nNote the following cases when dealing with empty strings and `re.replace()`:\n\nUsing empty string as `replaceRegex`: \n\n // In the function call below, if $e.principal.hostname contains \"name\",\n // the result is: 1n1a1m1e1, because an empty string is found next to\n // every character in `stringText`.\n re.replace($e.principal.hostname, \"\", \"1\")\n\nTo replace an empty string, you can use `\"^$\"` as `replaceRegex`: \n\n // In the function call below, if $e.principal.hostname contains the empty\n // string, \"\", the result is: \"none\".\n re.replace($e.principal.hostname, \"^$\", \"none\")"]]