topic Re: replace strings in Splunk Search

How to replace replace strings?

saurabhkunte — Wed, 23 Aug 2023 19:23:04 GMT

Hello,
I have a lookup file with data in following format

name _time
srv-a.xyz.com 2017.07.23
srv-b.wxyz.com 2017.07.23

I want to replace .xyz.com with wxyz.com

My replace query does this correctly for values which end with .xyz.com. However for values ending with .wxyz.com it adds an extra . (dot) to the result.

| eval name = replace(name,".xyz.com", ".wxyz.com")
So the final output looks like :

name _time
srv-a.wxyz.com 2017.07.23
srv-b..wxyz.com 2017.07.23

why is that ? Any help on this highly appreciated. Thanks

Re: replace strings

Richfez — Sun, 23 Jul 2017 12:17:56 GMT

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

Re: replace strings

cmerriman — Sun, 23 Jul 2017 19:13:27 GMT

You can try this:

| replace "*.xyz.com" with "*.wxyz.com" in name

Re: replace strings

saurabhkunte — Mon, 24 Jul 2017 07:05:42 GMT

Thank you Rich ! I overlooked the wildcard for any single character.

Re: replace strings

aebrittingham — Tue, 09 Oct 2018 16:29:37 GMT

I just used this and it did exactly what I wanted, put it at the end of my search and I didn't need to add extra stuff. Hence the point from me.

Re: replace strings

jaxjohnny2000 — Thu, 11 Jul 2019 14:44:19 GMT

Thank you. What if we have multiple occurrences of a string?

Windows-10-Enterprise
Windows-7-Enterprise
WindowsServer-2008-R2-Enterprise

How would we replace all the "-" characters with a space?

Re: replace strings

cmerriman — Thu, 11 Jul 2019 15:11:58 GMT

You could do |rex mode=sed field=field "s/-/ /g"

Re: replace strings

Richfez — Thu, 11 Jul 2019 15:17:20 GMT

You would probably better be served by creating a new question.

In fact, I probably shouldn't answer this here, but the answer is the easy "exactly like you'd expect" in that replace doesn't stop at the first match. Here's a run-anywhere.

| makeresults 
| eval test1 = "WindowsServer-2008-R2-Enterprise"
| eval test2 = replace(test1, "-", "")

Re: replace strings

unitedmarsupial — Fri, 13 Dec 2019 16:00:05 GMT

Thanks! It really is a full regular-expression substitution (using "extended" syntax) -- with capturing groups too. You can do things like replace(Field, ".* something ([A-Za-z]+) .*", "\1"). Character-classes (like [[:alnum:]]) do not seem to work, but that's less important.

Re: replace strings

neo3779_splunk — Wed, 23 Aug 2023 11:48:50 GMT

I tried:

| makeresults count=10
| eval src=random().".wxyz.com"
| eval name = replace(src,".wxyz.com", ".abc.com")

To see how it worked.