Solved: Re: Adding delimiter to a field values

Laxman24 · ‎10-28-2020

Hi all,

I need some help in creating a new field,

I have a field like following

Field 1

AABBCCDDEEFF

AAAABBBBCCCC

Id like to make a new field and the values become :

AA-BB-CC-DD-EE-FF

AA-AA-BB-BB-CC-CC

could someone help me with this?

Thanks in advance!

ITWhisperer · ‎10-28-2020

| rex mode=sed "s/(?<pair>\w{2})/\1-/g s/-$//g"

View solution in original post

ITWhisperer · ‎10-28-2020

| rex mode=sed "s/(?<pair>\w{2})/\1-/g s/-$//g"

ayushisrivastav · ‎03-02-2023

Hi @ITWhisperer ,

please can you explain me the regular expression which you have written to fulfil the request.

ITWhisperer · ‎03-02-2023

Firstly, rex is put into stream-edit (sed) mode.

The regular expression is in two parts (separated by a space)

Secondly, the first sed expression means substitute (s) the captured group (?<pair>\w{2}) of 2 word-characters with the first captured group (\1) followed by a hyphen (1) done globally (g) through the field.

Thirdly, the second sed expression means substitute (s) the hyphen (-) at the end ($) for nothing i.e. remove it.

Laxman24 · ‎10-28-2020

Thank you!!!! 🙂 it works

Adding delimiter to a field values

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation