Solved: Eval, Replace and Regular Expression

jnahuelperez35 · ‎08-17-2017

Hi Guys! i've got the next situation

Trying to replace some characters in this events:

\device\harddiskvolume4\windows\system32\dns.exe
\device\harddiskvolume4\windows\system32\lsass.exe
\device\harddiskvolume2\program files (x86)\fortinet\fsae\collectoragent.exe

With this sentence:

EventCode=5156 Application_Name = "*System32*" OR Application_Name = "*program files*"
| eval mAppName=replace(Application_Name, ".+\\", "")

but when i try to do it Splunk tells me "Error in 'eval' command: Regex: \ at end of pattern"

Why is that? and how can i solve it?
Thanks a lot for answers

skoelpin · ‎08-17-2017

You should use sed to do a replace..

Show me what you currently have and what you want it to look like

It will be along the lines of this

... | rex mode=sed "s/<REGEX FROM ORIGINAL>/<REPLACE WITH>/g"

View solution in original post

woodcock · ‎08-17-2017

Keep adding backslashes \\ on top of the ones that you have until the error goes away. Yes, I really am serious; just like cowbells.

andrewtrobec · ‎10-31-2019

Holy shit this actually worked, lol. Nice one!

skoelpin · ‎08-17-2017

You should use sed to do a replace..

Show me what you currently have and what you want it to look like

It will be along the lines of this

... | rex mode=sed "s/<REGEX FROM ORIGINAL>/<REPLACE WITH>/g"

Eval, Replace and Regular Expression

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)