I am trying to remove all the special characters i...

anjanikumar · ‎07-19-2016

First I tried to search for chars which aren't alphanumeric and replace them with space character.
source="Regex.zip:" | rex mode=sed field="Incident Description" "s/[^a-zA-Z0-9]/ /g"*

This does work fine but when I try the other approach as shown below

Second approach was to find all the special characters and replace them with space character.
source="Regex.zip:" | rex mode=sed field="Incident Description" "s/[!@#$%^&()-?/{}<|>\:;]/ /g"

This does display an error: Error in 'rex' command: Regex: missing terminating ] for character class

mad4wknds · ‎05-27-2017

I believe this link has the answer you are looking for.

https://answers.splunk.com/answers/139777/rex-mode-sed-diff-between-replace-and-substitute.html

javiergn · ‎07-19-2016

For completion and in order to avoid complicated syntax I would use the following regex instead:

| rex mode=sed "s/\W+/ /g"

Or if you want to have a more granular control:

| rex mode=sed "s/[^a-zA-Z0-9_\-\.]+/ /g"

neelamsantosh · ‎04-19-2017

how to use this during parsing time or props.conf

javiergn · ‎04-19-2017

Take a look at the following http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Anonymizedata as it'll explain this better than me.

The concept is the same.

sundareshr · ‎07-19-2016

Try escaping the special characters

... | rex mode=sed "s/\\[\!\@\#\$\%\^\&\(\)\-\?\/\{\}\<\|\>\\\\\:\;]/ /g""

I am trying to remove all the special characters in the field and replace them with space character using sed mode in rex command.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms