topic Re: SPL: Use regex replacement string multiple times in Splunk Search

SPL: Use regex replacement string multiple times

_Tom — Wed, 27 Oct 2021 08:57:57 GMT

Hello *,

I am looking for an SPL that reads the first part of a string via regex and replaces all occurrences of a certain character with this first part. This is to be used for summary indexing.

Example:

1;A__B 2;B__C__D__A__E 3;G

is to be transformed into (each line will become a value in a multivalue field):

1;A 1;B 2;B 2;C 2;D 2;A 2;E 3;G

Neither replace nor rex seem to be able to afford multiple replacements of this kind. I also tried foreach with some field extractions but failed. Before I write a custom search command for it, I hope for your ideas to solve the problem with some clever standard SPL.

Thank you in advance for your thoughts!

Re: SPL: Use regex replacement string multiple times

ITWhisperer — Wed, 27 Oct 2021 09:11:05 GMT

Re: SPL: Use regex replacement string multiple times

_Tom — Thu, 28 Oct 2021 16:03:29 GMT

Hello @ITWhisperer,

thank you very much for the quick answer, which helped a lot. We need to do the transformation for multiple fields within a complex query. Therefore, the solution had to be adapted somewhat:

Is there a better solution than overwriting _raw with the field value? I also was surprised that creating a multikv.conf file seems not to be required, as it autodetects semicolon as the separator and ignores the underlines.

Re: SPL: Use regex replacement string multiple times

ITWhisperer — Fri, 29 Oct 2021 11:31:09 GMT

You could try rename _raw as tmp_raw and fieldname1 as _raw rather the two assignments but, this is as good a way as any to get multikv to work.