topic Re: Rex mode=sed diff between replace and substitute in Splunk Search

Rex mode=sed diff between replace and substitute

ben_leung — Tue, 10 Jun 2014 20:38:52 GMT

What are the differences between option "s" and "y"?

index=_internal sourcetype=splunkd  | rex mode=sed “s/idx=\d+\.\d+\.\d+\.\d+\:\d+/XX.XXX.XX.XXX:XXXX/g"

index=_internal sourcetype=splunkd  | rex mode=sed "y/127.0.0.1:9997/XXX.X.X.X:XXXX/"

I can find all the logs with "Connected to blah blah" and replace the ip and port with something in both ways. Besides the fact that the substitute option will only grab the exact ip of "127.0.0.1", what are the major differences between these 2 options?

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Rex

Re: Rex mode=sed diff between replace and substitute

dwaddle — Tue, 10 Jun 2014 21:00:01 GMT

If you're familiar with the traditional unix commands sed and tr, the difference is that one is sed-like and the other is tr-like.

If you have an event of the form:

06/10/2014 00:05:00 myapp does super-awesome-things for user=bobbychuck

Then

| rex mode=sed "s/awesome/terrible/"

will cause it to say:

06/10/2014 00:05:00 myapp does super-terrible-things for user=bobbychuck

But

| rex mode=sed "y/abc/xyz/"

will cause:

06/10/2014 00:05:00 myxpp does super-xwesome-things for user=yoyyyzhuzk

Re: Rex mode=sed diff between replace and substitute

ben_leung — Tue, 10 Jun 2014 21:08:11 GMT

Thanks for responding dwaddle. I did not notice that the new characters match with the original ones.

Re: Rex mode=sed diff between replace and substitute

dwaddle — Wed, 11 Jun 2014 04:13:51 GMT

Yeah, the idea of s/xxx/yyy/ is fundamentally search-and-replace string-for-string while y/abc/xyz/ is "replace every a with x, every b with y, and every c with z." Both are useful but for different situations.

Re: Rex mode=sed diff between replace and substitute

vijaysubramania — Wed, 20 May 2020 17:31:57 GMT

Thanks Dwaddle!