I know that in general, regular expressions in Splunk use PCRE (or a modified PCRE for matching in props.conf source stanza headings). If I set SEDCMD in props.conf, e.g.:
SEDCMD-example = s/regex/subst/g
is the regex
also PCRE? Standard sed
uses grep
or egrep
regexes, not PCRE, so this isn't entirely clear.
SEDCMD uses PCRE regex and thus is equivalent to sed -r
props.conf.spec
SEDCMD-<class> = <sed script>
....
* Syntax:
* replace - s/regex/replacement/flags
* where regex is a perl regex (optionally containing capturing groups)
* replacement is a string to replace the regex match, use \N for backreferences
* flags can be either: g to replace all matches or a number to replace a specified match
* substitute - y/string1/string2/
* substitutes the string1[i] with string2[i]
SEDCMD uses PCRE regex and thus is equivalent to sed -r
props.conf.spec
SEDCMD-<class> = <sed script>
....
* Syntax:
* replace - s/regex/replacement/flags
* where regex is a perl regex (optionally containing capturing groups)
* replacement is a string to replace the regex match, use \N for backreferences
* flags can be either: g to replace all matches or a number to replace a specified match
* substitute - y/string1/string2/
* substitutes the string1[i] with string2[i]