Splunk query(SPL). Replace a value or anything that comes after the value until a special character

Question

I have these values in field from my query.

C360Lookup~single/MainMenu~2/e2_quote_policy_ask_zipcode~90094/e2_quote_existing_policy_utterance~sales_default/e2_quote_existing_policy~_xfer C360Lookup~single/MainMenu~2/e2_quote_policy_ask_zipcode~94579/e2_quote_existing_policy_utterance~insurance/e2_quote_existing_policy~_xfer C360Lookup~none/MainMenu~2/e2_quote_policy_ask_zipcode~91748/e2_quote_existing_policy_utterance~insurance.utterance.contains(quote)/e2_quote_existing_policy~_xfer

I want e2_quote_policy_ask_zipcode* to be replaced by AskZipcode. The output should like below in

C360Lookup~single/MainMenu~2/AskZipcode/e2_quote_existing_policy_utterance~sales_default/e2_quote_existing_policy~_xfer C360Lookup~single/MainMenu~2/AskZipcode/e2_quote_existing_policy_utterance~insurance/e2_quote_existing_policy~_xfer C360Lookup~none/MainMenu~2/AskZipcode/e2_quote_existing_policy_utterance~insurance.utterance.contains(quote)/e2_quote_existing_policy~_xfer

I tried multiple ways. Not able to achieve the desired results

Answer 1

This is a job for the rex command. Use the sed (Stream EDitor) option to replace text in a field.

| rex mode=sed field=foo "s/e2_quote_policy_ask_zipcode[^\/]+?/AskZipcode/g"