Solved: Confused with sed replace. Change 1,2,...,20,21,22...

ejpulsar · ‎07-15-2014

Hi,

I try to test sed expressions in search app for futher proper filtering of incoming data with SEDCMD.
Let 1 have a strings [0-9a-zA-Z]* delimited by commas. There can be no any string between commas.

i.e. 1,a,B,,D,5

I'm trying to build regex to change 21-th pattern occurence in the string to some fixed chars (#)

Splunk IFX gives me that perfect extraction regex

(?i)^(?:[^,]*,){21}(?P[^,]+)

I tried to transform it to sed replace

s/(?i)(?:[^,]*,){21}([^,]+,)/###,/

It gives me all string wiped from start to 22-th pattern occurence

###,22-th occurence,24,25

What am I doing wrong?

martin_mueller · ‎07-15-2014

Sed works like this: Take what was matched by the first part out and replace by the second part... so all your 21 strings are being removed. You can avoid that like this:

s/(?i)((?:[^,]*,){21})([^,]+,)/\1###,/

That captures the matched strings and retains them before the ###. Here's a dummy query to test:

| stats count | eval string = "a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z" | rex field=string mode=sed "s/(?i)((?:[^,]*,){21})([^,]+,)/\1###,/"

View solution in original post

martin_mueller · ‎07-15-2014

Sed works like this: Take what was matched by the first part out and replace by the second part... so all your 21 strings are being removed. You can avoid that like this:

s/(?i)((?:[^,]*,){21})([^,]+,)/\1###,/

That captures the matched strings and retains them before the ###. Here's a dummy query to test:

| stats count | eval string = "a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z" | rex field=string mode=sed "s/(?i)((?:[^,]*,){21})([^,]+,)/\1###,/"

ejpulsar · ‎07-15-2014

You are awesome right!
Thank you!

Confused with sed replace. Change 1,2,...,20,21,22 to 1,2,...,20,###,22

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?