topic Re: SEDCMD - special requirement for backslash? in Getting Data In

SEDCMD - special requirement for backslash?

jgauthier — Mon, 09 May 2011 21:15:28 GMT

It seems I cannot replace data with a backslash in it.

For instance: DOMAIN\USERNAME

I have tried all of the following:

SEDCMD-translate=s/DOMAIN\//
SEDCMD-translate=s/DOMAIN\\//
SEDCMD-translate=s/DOMAIN\\\//   ( just for kicks.. nothing else works!)
SEDCMD-translate=s/DOMAIN\\\\//  (works on a unix command line!)

Any suggestions?

Re: SEDCMD - special requirement for backslash?

Ledion_Bitincka — Tue, 10 May 2011 01:21:21 GMT

You can try to use another delimiter char for example:

SEDCMD-translate=s#DOMAIN\\##

Note that you need to escape the \ for the regex to match what you want.

Re: SEDCMD - special requirement for backslash?

gkanapathy — Tue, 10 May 2011 03:42:22 GMT

The correct match for a \ character in this file is \\, so your two slashes should work, and it worked for me even with / as the SEDCMD delimiter character. Are you sure that the rest of your regex is matching?

Re: SEDCMD - special requirement for backslash?

Ledion_Bitincka — Tue, 10 May 2011 03:54:00 GMT

I seem to have mixed up the slashes - thus my answer is not really a solution here - I am not deleting just to let people know they can user other delimiters.

Re: SEDCMD - special requirement for backslash?

jgauthier — Tue, 10 May 2011 12:45:09 GMT

Absolutely positive. If I replace just DOMAIN with something else, that something else shows up in the index.

As soon as I remove the \, it stops matching.

I will continue to experiment. Thanks!

Re: SEDCMD - special requirement for backslash?

jgauthier — Tue, 10 May 2011 13:42:20 GMT

Curious. If I make the sedcmd looks like this:

SEDCMD-translate=s/DOMAIN\texthere//

Then "DOMAIN\texthere" is replaced.

If I leave it as
SEDCMD-translate=s/DOMAIN\//

It doesn't replace "DOMAIN\".
I believe it may be a defect.

Re: SEDCMD - special requirement for backslash?

gkanapathy — Tue, 10 May 2011 13:43:35 GMT

Wait, so it sounds to me like it is matching fine? If you remove the \ and it matches, it should delete the entire match DOMAIN\, correct? Or did you mean as soon as you remove the \ then it does match?

Re: SEDCMD - special requirement for backslash?

jgauthier — Tue, 10 May 2011 15:14:58 GMT

That is not what I typed! BAH.

Okay, let me try and correct this.

SEDCMD-translate=s/DOMAIN\texthere//
This correctly replaces "DOMAIN\texthere"

SEDCMD-translate=s/DOMAIN\//
This does not correctly replace "DOMAIN\"

I really botched up that comment with bad backslashes. I'm sorry! I am pretty sure I pasted that correctly.

In short, if I put text after \ it seems to replace.
But ending a replacement with a backslash does not appear to work correctly.

Re: SEDCMD - special requirement for backslash?

jgauthier — Tue, 10 May 2011 15:17:58 GMT

BAH! It did it again. When I paste my comment it is removing blackslashes. This is going to be a pain to document. Let me double up backslashes and try to get this to take it.

SEDCMD-translate=s/DOMAIN\\texthere//

This correctly replaces "DOMAIN\texthere"

SEDCMD-translate=s/DOMAIN\\//

This does not correctly replace "DOMAIN\"

Re: SEDCMD - special requirement for backslash?

darrellgrundy — Fri, 30 Sep 2011 15:18:53 GMT

I have the same problem. No number of backslashes works interactively on the search command. Results in the following error "Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string."

UPDATE: seems to be fixed in v4.2.3 ... I needed three backslashes \\ for it to work with rex mode=sed field=_raw

Re: SEDCMD - special requirement for backslash?

ajitsd — Tue, 17 Apr 2012 19:50:27 GMT

It works fine using capturing groups.

In your example, I would use:

SEDCMD-translate=s/\(DOMAIN\)\\/\1/

You can also try it out raw in the search first by executing:

 your_search | rex mode=sed "s/\(DOMAIN\)\\/\1/"

Re: SEDCMD - special requirement for backslash?

Rob — Tue, 16 Oct 2012 23:59:39 GMT

There is definitely something not quite right when using backslashes with the sed.

I provided a similar answer here: http://splunk-base.splunk.com/answers/54904/replacing-with-sedcmd/62199

Basically, you need to have the backslash characters be followed by a character that is not a slash and definitely not as part of the replacement. ajitsd provided a nice example by using a capture group instead of backslashes. However, you may need to escape more of the backslashes. For one backslash to match you will need to put in three backslashes as darrellgrundy mentioned. Try the following command in a search and see if that works for you:

| rex mode=sed "s/DOMAIN\\\{1}//g"

Re: SEDCMD - special requirement for backslash?

wrangler2x — Wed, 13 Jul 2016 22:50:58 GMT

I have had many battles with backslashes over the years I've been working with Splunk. Something I thought was working back in the 4.1.3 days seems to not work now. But (and I am on 6.1.5 while writing this) I have found something that works very well, though it is a bit odd looking. Use \x5C{1} for the backslash. You can prove to yourself that this works by running the following search:

| gentimes start=-1 | eval domainUser="DOMAIN\USERNAME"
| table domainUser
| eval User=domainUser
| rex mode=sed field=User "s/DOMAIN\x5C{1}//"

Here is the output:

domainUser User
DOMAIN\USERNAME USERNAME

Ignore the line with the 5. following the rex above. Posting this adds it and I can't get rid of it. Doesn't show when I edit. Pfft.

Re: SEDCMD - special requirement for backslash?

wrangler2x — Thu, 14 Jul 2016 16:47:31 GMT

Just a quick update to this: I've tested this in both SEDCMD in props.conf and in search using rex mode=sed and this works in both places. I think that SEDCMD is more picky, because I've found other ways of doing this in search with rex that don't work with SEDCMD. This works in both.

Re: SEDCMD - special requirement for backslash?

StorageMatt — Tue, 04 Jul 2017 17:42:43 GMT

Just to keep this thread up to date (because it just ended 4 hours of mental torture!), working in 6.5.2,

| rex field=User_name mode=sed "s/(\\\\)/\1\1/g"

worked for me to translate {anything & any case}\{anything} into the same with a double backslash.

Useful when building a multiselect source query listing users from hundreds of different servers.
Thanks to all the contributors on here for their efforts 🙂

Re: SEDCMD - special requirement for backslash?

wrangler2x — Thu, 24 Aug 2017 20:52:08 GMT

s/\x5C{1}//g works great for this

Really!? Yes, indeedy! Let's test it.

| makeresults
| eval domainUser="theLaTiDahDomain\johndoejr"
| table domainUser
| eval User=domainUser
| rex mode=sed field=User "s/.*\x5C{1}//"

This returns johndoejr in the User column.

| makeresults is a new feature beginning in 6.3, I believe. If you are on an earlier release use | gentimes start=-1 instead.