Splunk Search

Can regex remove spaces inside a capture group?

Explorer

I am using regex slot and port information. Here is an example of the syslog output:

Slot1 : OLTPort2

Is it possible in regex to remove the spaces around the :?

I would like it to look like this:

Slot1:OLTPort2

By using two captures I can use eval to combine two extracts but I would prefer to do it with regex, if possible.

| where isnotnull(S_Slot) AND isnotnull(S_Port) | eval SlotAndPort = S_Slot . ":" . S_Port
Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@donemery you can use replace() evaluation function to remove spaces from your data.

| makeresults
| eval data="Slot1 : OLTPort2"
| eval dataWithoutSpace=replace(data,"\s","")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Esteemed Legend

Always share as much as you can. Now that we have your RegEx, your problem is clear. You cannot fix it in a single step; it till take 2 and the 2 change depending on whether this is search-time or index-time, which again, you neglected to tell us. In either case, add a new transform to the end of the existing REPORT- or TRANSFORMS- line called StripSpaces. Then put this in your transforms.conf:

[StripSpaces]
SOURCE_KEY = <YourExistingFieldNameWhichYouDidNotShare>
REGEX = (\S+)\s*:\s*(\S+)
FORMAT = $1::":"::$2
0 Karma

Explorer

Thanks. In the future I will provide more details to start and I will reach out to the folks that administer Splunk for us to see what is the method they will implement.

0 Karma

Esteemed Legend

Assuming that your existing RegEx looks something like this:

(?<Slot1>[^xyz]+)

Change it to this:

\s*(<Slot1>[^xyz\s]+)\s*
0 Karma

Explorer

I can't get the \s* to work with my field extraction. Maybe I am doing something wrong.

Here is the full field extraction:

^[^\[\n]*\[\s+(?P[S,s]lot\d+\s+\:\s+[O,U][L,p][T,l]\D{3,8}\d+)

Here is an example of the data I am extracting from:

Apr 15 17:25:49 +00:00 HOST06-XXXX [ Slot4 : OLTPort3 : ONU7 : In service.]
0 Karma

SplunkTrust
SplunkTrust

@donemery you can use replace() evaluation function to remove spaces from your data.

| makeresults
| eval data="Slot1 : OLTPort2"
| eval dataWithoutSpace=replace(data,"\s","")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Contributor

You need rex command in sed mode. Assuming your field with both slot and port is SlotAndPort:

... your search ...
| rex field=SlotAndPort mode=sed "s/ //g"

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Rex has more details.

0 Karma

Contributor

haha, I was overthinking. @niketnilay's answer is much better! This would be more useful if you needed to replace a pattern, not a particular character.

0 Karma