Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I am trying to remove all the special characters in the field and replace them with space character using sed mode in rex command.

anjanikumar
Engager
‎07-19-2016 12:38 AM

First I tried to search for chars which aren't alphanumeric and replace them with space character.
source="Regex.zip:" | rex mode=sed field="Incident Description" "s/[^a-zA-Z0-9]/ /g"*

This does work fine but when I try the other approach as shown below

Second approach was to find all the special characters and replace them with space character.
source="Regex.zip:" | rex mode=sed field="Incident Description" "s/[!@#$%^&()-?/{}<|>\:;]/ /g"

This does display an error: Error in 'rex' command: Regex: missing terminating ] for character class

This the data I was working on

Preview file
16 KB
Reply

mad4wknds
Path Finder
‎05-27-2017 11:37 AM

I believe this link has the answer you are looking for.

https://answers.splunk.com/answers/139777/rex-mode-sed-diff-between-replace-and-substitute.html

0 Karma
Reply

javiergn
Super Champion
‎07-19-2016 06:26 AM

For completion and in order to avoid complicated syntax I would use the following regex instead:

| rex mode=sed "s/\W+/ /g"

Or if you want to have a more granular control:

| rex mode=sed "s/[^a-zA-Z0-9_\-\.]+/ /g"
Reply

neelamsantosh
Path Finder
‎04-19-2017 02:54 AM

how to use this during parsing time or props.conf

0 Karma
Reply

javiergn
Super Champion
‎04-19-2017 03:04 AM

Take a look at the following http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Anonymizedata as it'll explain this better than me.

The concept is the same.

0 Karma
Reply

sundareshr
Legend
‎07-19-2016 05:54 AM

Try escaping the special characters

... | rex mode=sed "s/\\[\!\@\#\$\%\^\&\(\)\-\?\/\{\}\<\|\>\\\\\:\;]/ /g""
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...