Getting Data In

Replacing "\\" with SEDCMD

responsys_cm
Builder

I have some log data in CEF format that is using "\\" for Windows directory paths, so they look like:

c:\\directory\\subdirectory

I've tried using sed to replace that with a single "\" character, but it's always failing. I think it's escaping the "/" character in the sed command.

How can I replace that either at search time or indexing (preferred)?

Thx.

Craig

Tags (2)
1 Solution

Rob
Splunk Employee
Splunk Employee

You may want to try:

SEDCMD-replace = s/(\\\){1}\\\{1}/\1/g

It might be that the SEDCMD has the same problem as the search time based "rex" command. For doing the replacement at search time, you can definitely use:

| rex mode=sed "s/(\\\){1}\\\{1}/\1/g"

or to clean it up...

| rex mode=sed "s/(\\\){2}/\1/g"

The key seems to be that the \ character needs to be followed by another character other than a forward slash in the replacement group. The regex is working around this by capturing a slash and then we re-use that captured slash as our replacement so we can use characters that are not a backslash in the replacement.

View solution in original post

Rob
Splunk Employee
Splunk Employee

You may want to try:

SEDCMD-replace = s/(\\\){1}\\\{1}/\1/g

It might be that the SEDCMD has the same problem as the search time based "rex" command. For doing the replacement at search time, you can definitely use:

| rex mode=sed "s/(\\\){1}\\\{1}/\1/g"

or to clean it up...

| rex mode=sed "s/(\\\){2}/\1/g"

The key seems to be that the \ character needs to be followed by another character other than a forward slash in the replacement group. The regex is working around this by capturing a slash and then we re-use that captured slash as our replacement so we can use characters that are not a backslash in the replacement.

gkanapathy
Splunk Employee
Splunk Employee
SEDCMD-replace = s/\\\\/\\/g

though that may replace if it finds it in other places besides a file path.

smolcj
Builder

thanks sowings, then if i am searching the same like
|index=main source= C:\home\filename.txt |rex field=source mode=sed "s/\/\\/g"
i got an error like
"Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
i am confused that the reason for this error is my regex. I am trying to replace backslash with double back slash. please help me
thanks

0 Karma

sowings
Splunk Employee
Splunk Employee

SEDCMD is a directive in props.conf, not a search command. To emulate this in a search, use rex mode=sed <sed_expression> as described in @Rob's answer above.

0 Karma

smolcj
Builder

can u help me to do it in reverse .. to replace single backslash to double backslash in source after the search index=main sourcetype=type|top source | rex ""
when i am trying sedcmd , there occurs an error summarizing i dont have permission to use sedcmd. please help
thanks for your time

0 Karma

responsys_cm
Builder

Nope. That doesn't work in props.conf or with rex mode=sed.

Here's the problem...

rex field=_raw mode=sed "s/\\\\/\\/g" produces:

Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace.

I get the same result with:

rex field=_raw mode=sed "s/\\\\/slash/g"

This successfully replaces the double backslash:

rex field=_raw mode=sed "s/\\\{2}/slash/g"

But any replacement text that ends with a backslash throws an error.

0 Karma

woodcock
Esteemed Legend

you can use other delimiter characters with sed; try using percent ('%') characters like this:


rex field=_raw mode=sed "s%/%%g"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...