topic Re: Using regex to replace letters in a search. in Splunk Search

Using regex to replace letters in a search.

kisa — Mon, 12 Aug 2013 10:28:19 GMT

Hi,

I'm performing a search using advanced xml that returns a key/value pair (among other things).

E.g. Filename=someName123.jpg

I use the Filename key to perform a few searches, e.g. $Filename$ in a child module. Following that I need to slightly change the name and continue a new search. The name requires the addition of a few numbers and a change of the extension.

E.g. someName123-456.bmp

So I've been trying to work out the best/easiest way to change the name. I've attempted some regex ("rex" and "rex mode=sed") and am failing dismally, purely due to my inability to grasp the regex syntax I think). I also had a brief look at eval replace option, but struggled to understand its operation (as shown here : http://splunk-base.splunk.com/answers/6424/replace-parts-of-a-string).

If anyone can help with this it would be much appreciated. Also if someone does provide a regex answer, could you please explain how it does what it does, or point me to a page so I can reverse engineer the regex syntax to understand how it does what it does?

Thank you in advance..

Re: Using regex to replace letters in a search.

Ayn — Mon, 12 Aug 2013 11:15:03 GMT

I was about to write an answer, but it would help if you could specify exactly how you want things to be transformed. Which parts of this are static and which are dynamic? Is "someName" always the same or not? Is there a rule to the numbers you want to add after the dash you're inserting in the filename? Should the extension always be changed from .jpg to .bmp?

Re: Using regex to replace letters in a search.

kisa — Mon, 12 Aug 2013 11:51:19 GMT

Thanks for the quick reply.

someName - will always be the same (static).
123 - will be consistent across the name change, but each someName file will have a new/different number e.g. 124.
It will always be a change from .jpg to 456.bmp (456 being consistent).

So I was trying to do something like:-

someName123.jpg to someName123-456.bmp

regex to replace .jpg (everything from the "." onward and inclusive or 4 characters back from the end of the string) with "-456.bmp". Which sounds simple, but I couldn't for the life of me work out the regex to do it 😞

Re: Using regex to replace letters in a search.

antlefebvre — Mon, 12 Aug 2013 14:04:53 GMT

Unsure of how to post code in comment, so I'm asking in answer.

Does it have to be in a regex or can you do this replacement in a search? Ex:

your search | eval newfilename=$filename$ | replace *.jpg with *-456.bmp in newfilename

Re: Using regex to replace letters in a search.

kisa — Mon, 28 Sep 2020 14:33:34 GMT

Thanks for the suggestion, it looks like it should work, though I can't get it to work :(. I added the eval and replace to a few searches but found they made no difference to the search. The search just returned what was set before the eval. What am I missing? Here is the last test I did:-

index=_internal | eval newName=$series$ | replace *web_access.log with *metrics.log in newName

It just returns everything filtered by "index=_internal", which is pretty much everything.

Re: Using regex to replace letters in a search.

kisa — Tue, 13 Aug 2013 09:36:54 GMT

Sorry, after some clarification I also found out that the value before the .bmp (i.e. 456) is not a constant.

Re: Using regex to replace letters in a search.

antlefebvre — Tue, 13 Aug 2013 11:03:33 GMT

I was illustrating the replace function. Your search is stating you want to see everything in _internal. You'll want to add this to the end of the search:
| search whatyourelookingfor=newName

if I am understanding what you are trying to do correctly.

Re: Using regex to replace letters in a search.

antlefebvre — Tue, 13 Aug 2013 11:22:30 GMT

Or just
| search newName

Re: Using regex to replace letters in a search.

kisa — Wed, 14 Aug 2013 10:32:35 GMT

Thanks again.

I tried:-

| search newName

and the search found nothing. I tried a :-

| table newName

and it displayed the correct name it should be searching for. Is there any reason why the search isn't working with the new eval/replace field name (using the same name in a standard Splunk search worked fine)?

Re: Using regex to replace letters in a search.

antlefebvre — Wed, 14 Aug 2013 12:29:00 GMT

Ah. Sorry. Search newName will literally search for the term newName whereas you want to search for its value. I am unsure how to extract the value from newName to pipe into a new search.

Re: Using regex to replace letters in a search.

kisa — Thu, 15 Aug 2013 10:30:19 GMT

No worries, thanks for your help so far. I'll see if I can finish it off 🙂