https://community.splunk.com/t5/Splunk-Search/Cleaning-raw-data-at-index-time-or-search-time/m-p/39712#M9089 <P>After fighting with the regex more, I realized I wasn't replacing the final '.' from the domain name thus not getting any matches against my look up table.</P> <PRE><CODE>eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.|$\.", "") </CODE></PRE> Fri, 22 Feb 2013 13:27:01 GMT aapittts 2013-02-22T13:27:01Z https://community.splunk.com/t5/Splunk-Search/Cleaning-raw-data-at-index-time-or-search-time/m-p/39711#M9088 <P>I have raw data that looks like this: <CODE>(4)example(3)domain(3)com(0)</CODE>. In my search, I've been using a macro that looks like this:</P> <PRE><CODE>eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.", "") </CODE></PRE> <P>This produces the desired result. However, when I try and pipe the output of the macro to a lookup table it doesn't work. I've narrowed the issue down to the regex bc if I put the example domain above in my lookup table I get the proper results. That is not the solution bc I have hundreds of domains in the lookup table and can not change them all. So my question is is there a way to pass the output of the regex properly or is this something that needs to be taken care of in the props or transforms?</P> Thu, 21 Feb 2013 21:07:48 GMT https://community.splunk.com/t5/Splunk-Search/Cleaning-raw-data-at-index-time-or-search-time/m-p/39711#M9088 aapittts 2013-02-21T21:07:48Z https://community.splunk.com/t5/Splunk-Search/Cleaning-raw-data-at-index-time-or-search-time/m-p/39712#M9089 <P>After fighting with the regex more, I realized I wasn't replacing the final '.' from the domain name thus not getting any matches against my look up table.</P> <PRE><CODE>eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.|$\.", "") </CODE></PRE> Fri, 22 Feb 2013 13:27:01 GMT https://community.splunk.com/t5/Splunk-Search/Cleaning-raw-data-at-index-time-or-search-time/m-p/39712#M9089 aapittts 2013-02-22T13:27:01Z