topic Re: How to escape a parentheses in sed rex command ? in Splunk Search

How to escape a parentheses in sed rex command ?

DavidHourani — Wed, 29 Mar 2017 11:40:55 GMT

Hello dearest Splunkers,

I am trying to convert "(A=hi) OR (B=bye)" to "(A=hi) NOT (B=bye)" using sed. So far I have the following command:

...| rex mode=sed field=search "s/\sOR\s\(/\sNOT\s\(/g"

This gives me the following error, since apparently the backslash isnt enough to escape the parentheses:

Error in 'rex' command: Regex: missing closing parenthesis

Can anyone help me out understanding how I can improve the regex or what I should use as an escape character instead of the backslash ?

Thank you.

Regards,
David

Re: How to escape a parentheses in sed rex command ?

Richfez — Wed, 29 Mar 2017 11:58:10 GMT

Try

...| rex field=search mode=sed "s/ OR / NOT /g"

You don't need to use any special space characters unless you really need to (i.e. they may be tabs or something). It doesn't feel like you do so you can simplify.

And, if you DID need to include the parenthesis, you only need to escape them in the first half of the sed command (the match part).

... | rex field=orig_field mode=sed "s/\) OR \(/) NOT (/g"

I know it looks funny but it does work. For clarity, the first half (matching part) is \) OR \(. The second part, the substitute part, is ) NOT (.

Here's the run-anywhere examples.

With spaces:

| makeresults | eval orig_field="(A=hi) OR (B=bye)" 
| rex field=orig_field mode=sed "s/ OR / NOT /g"

With escaped parenthesis:

| makeresults | eval orig_field="(A=hi) OR (B=bye)" 
| rex field=orig_field mode=sed "s/\) OR \(/) NOT (/g"

Happy Splunking!
-Rich

Re: How to escape a parentheses in sed rex command ?

DavidHourani — Wed, 29 Mar 2017 12:14:15 GMT

yes this is the answer haha.. So regexes are only used in the first part of the sed, not both parts ! Thank you!