topic Re: Replacing "\\" with SEDCMD in Getting Data In

Replacing "\\" with SEDCMD

responsys_cm — Thu, 02 Aug 2012 21:31:43 GMT

I have some log data in CEF format that is using "\\" for Windows directory paths, so they look like:

c:\\directory\\subdirectory

I've tried using sed to replace that with a single "\" character, but it's always failing. I think it's escaping the "/" character in the sed command.

How can I replace that either at search time or indexing (preferred)?

Thx.

Craig

Re: Replacing "\\" with SEDCMD

gkanapathy — Thu, 02 Aug 2012 23:02:54 GMT

SEDCMD-replace = s/\\\\/\\/g

though that may replace if it finds it in other places besides a file path.

Re: Replacing "\\" with SEDCMD

responsys_cm — Fri, 03 Aug 2012 17:24:34 GMT

Nope. That doesn't work in props.conf or with rex mode=sed.

Here's the problem...

rex field=_raw mode=sed "s/\\\\/\\/g" produces:

Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace.

I get the same result with:

rex field=_raw mode=sed "s/\\\\/slash/g"

This successfully replaces the double backslash:

rex field=_raw mode=sed "s/\\\{2}/slash/g"

But any replacement text that ends with a backslash throws an error.

Re: Replacing "\\" with SEDCMD

Rob — Tue, 16 Oct 2012 18:27:15 GMT

You may want to try:

SEDCMD-replace = s/(\\\){1}\\\{1}/\1/g

It might be that the SEDCMD has the same problem as the search time based "rex" command. For doing the replacement at search time, you can definitely use:

| rex mode=sed "s/(\\\){1}\\\{1}/\1/g"

or to clean it up...

| rex mode=sed "s/(\\\){2}/\1/g"

The key seems to be that the \ character needs to be followed by another character other than a forward slash in the replacement group. The regex is working around this by capturing a slash and then we re-use that captured slash as our replacement so we can use characters that are not a backslash in the replacement.

Re: Replacing "\\" with SEDCMD

smolcj — Tue, 06 Nov 2012 10:15:09 GMT

can u help me to do it in reverse .. to replace single backslash to double backslash in source after the search index=main sourcetype=type|top source | rex ""
when i am trying sedcmd , there occurs an error summarizing i dont have permission to use sedcmd. please help
thanks for your time

Re: Replacing "\\" with SEDCMD

sowings — Tue, 06 Nov 2012 16:19:39 GMT

SEDCMD is a directive in props.conf, not a search command. To emulate this in a search, use rex mode=sed <sed_expression> as described in @Rob's answer above.

Re: Replacing "\\" with SEDCMD

smolcj — Wed, 07 Nov 2012 05:13:56 GMT

thanks sowings, then if i am searching the same like
|index=main source= C:\home\filename.txt |rex field=source mode=sed "s/\/\\/g"
i got an error like
"Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
i am confused that the reason for this error is my regex. I am trying to replace backslash with double back slash. please help me
thanks

Re: Replacing "\\" with SEDCMD

woodcock — Thu, 30 Apr 2015 19:37:42 GMT

you can use other delimiter characters with sed; try using percent ('%') characters like this:



rex field=_raw mode=sed "s%/%%g"