Replacing a value at the end of a string

[ppcad]

I would like to replace certain values in a string with other values.

i.e. replace the number in the following string with NUMBER:

Input: "...this is a variable text... CONSTANT 543435"
Output: "...this is a variable text... CONSTANT NUMBER"

There can be multiple rules with a different CONSTANT that also require this replacement.

Is it possible to achieve this with a single processor, except for the normalizer?
I have found a work-around using the dissector. Here I use & to get a prefix at the end, assuming & never appears in the string:
%{target} CONSTANT %{}&%{+( CONSTANT NUMBER)target}
Is there a better way using one processor? This work-around would not be necessary if the dissector could add a suffix.

[ekneg54]

no... there is no solution yet.
we could implement a new processor for this. I do not suggest to extend the dissector for that, because it is build to dissect not to replace. A new processor replacer should do the job.

[ppcad]

Thanks, this sounds like a good solution to me.

[ekneg54]

we could implement this with the same syntax as the dissector. Then translate this to a python string template in the rule and then process the event with this built template. see: https://docs.python.org/3/library/string.html#template-strings

[ppcad]

This looks good. We would also need to handle the case where some variable part of a text shouldn't be replaced.

Input: Replace this number 4325435, but not this one 645354
Output: Replace this number NUMBER, but not this one 645354