Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I am trying to remove all the special characters in the field and replace them with space character using sed mode in rex command.

anjanikumar
Engager
‎07-19-2016 12:38 AM

First I tried to search for chars which aren't alphanumeric and replace them with space character.
source="Regex.zip:" | rex mode=sed field="Incident Description" "s/[^a-zA-Z0-9]/ /g"*

This does work fine but when I try the other approach as shown below

Second approach was to find all the special characters and replace them with space character.
source="Regex.zip:" | rex mode=sed field="Incident Description" "s/[!@#$%^&()-?/{}<|>\:;]/ /g"

This does display an error: Error in 'rex' command: Regex: missing terminating ] for character class

This the data I was working on

Preview file
16 KB
Reply

mad4wknds
Path Finder
‎05-27-2017 11:37 AM

I believe this link has the answer you are looking for.

https://answers.splunk.com/answers/139777/rex-mode-sed-diff-between-replace-and-substitute.html

0 Karma
Reply

javiergn
Super Champion
‎07-19-2016 06:26 AM

For completion and in order to avoid complicated syntax I would use the following regex instead:

| rex mode=sed "s/\W+/ /g"

Or if you want to have a more granular control:

| rex mode=sed "s/[^a-zA-Z0-9_\-\.]+/ /g"
Reply

neelamsantosh
Path Finder
‎04-19-2017 02:54 AM

how to use this during parsing time or props.conf

0 Karma
Reply

javiergn
Super Champion
‎04-19-2017 03:04 AM

Take a look at the following http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Anonymizedata as it'll explain this better than me.

The concept is the same.

0 Karma
Reply

sundareshr
Legend
‎07-19-2016 05:54 AM

Try escaping the special characters

... | rex mode=sed "s/\\[\!\@\#\$\%\^\&\(\)\-\?\/\{\}\<\|\>\\\\\:\;]/ /g""
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...