topic Re: How to use sed to replace a string with value from another variable? in Splunk Search

How to use sed to replace a string with value from another variable?

pdahal — Fri, 21 Oct 2016 21:47:19 GMT

I want to replace scheduleendtime=...& with scheduleendtime=valueOf(difference) in Splunk output.

In Linux shell, this can be done using sed s/scheduleendtime=[^&]*/scheduleendtime=$difference/. When I try using same command in splunk, I fail horribly. Splunk doesn't do variable replacement in sed rather every occurrence of "scheduleendtime=[^&]*" is replaced with "scheduleendtime=$difference" exact string.

... | eval difference = case(schedule_time_diff <= 4200,"<_1_hour", schedule_time_diff < 28800, "<_8_hours", schedule_time_diff < 172800, " <_2_days") | rex mode=sed s/scheduleendtime=[^&]*/scheduleendtime=$difference/

I used sed because I am comfortable with it. If you think another command works better in this scenario, please let me know.

Re: How to use sed to replace a string with value from another variable?

sundareshr — Fri, 21 Oct 2016 22:10:06 GMT

Why not just set scheduleendtimetodifferenceusingeval...eval scheduleendtime=difference`.?

Re: How to use sed to replace a string with value from another variable?

pdahal — Fri, 21 Oct 2016 22:15:06 GMT

That would create a variable named scheduleendtime and it would hold value of difference.
How can i insert that value in splunk output?

Re: How to use sed to replace a string with value from another variable?

sundareshr — Fri, 21 Oct 2016 22:35:08 GMT

How about replace() function. Here's a simple example on how you might be able to use it

| makeresults 
| eval searchtime="sometext&somemoretext" 
| eval difference="123456" 
| eval searchtime=replace(searchtime, "^([^&]+)", difference) 
| table searchtime difference

Re: How to use sed to replace a string with value from another variable?

gokadroid — Sun, 23 Oct 2016 02:16:24 GMT

Based on your comment above:
How can i insert that value in splunk output?

Here is how you can get the output back in raw and might not need sed at all:

... | eval difference = case(schedule_time_diff <= 4200,"<_1_hour", schedule_time_diff < 28800, "<_8_hours", schedule_time_diff < 172800, " <_2_days") 
| rex "^(?<headOfText>.*scheduleendtime=)[^&]*(?<tailOfText>\&.*)"
| eval _raw=headOfText.difference.tailOfText

Re: How to use sed to replace a string with value from another variable?

pdahal — Mon, 24 Oct 2016 23:45:27 GMT

Thank you @gokadroid. This works like a charm.
BTW, you missed a quote at the end of 3rd line.

Re: How to use sed to replace a string with value from another variable?

gokadroid — Mon, 24 Oct 2016 23:47:51 GMT

damn...I need to go to get my eyes checked up.. thanks man...editing the rex piece. An upvote will help a lot too.