Splunk Search

Eval, Replace and Regular Expression

jnahuelperez35
Path Finder

Hi Guys! i've got the next situation

Trying to replace some characters in this events:

\device\harddiskvolume4\windows\system32\dns.exe
\device\harddiskvolume4\windows\system32\lsass.exe
\device\harddiskvolume2\program files (x86)\fortinet\fsae\collectoragent.exe

With this sentence:

EventCode=5156 Application_Name = "*System32*" OR Application_Name = "*program files*"
| eval mAppName=replace(Application_Name, ".+\\", "") 

but when i try to do it Splunk tells me "Error in 'eval' command: Regex: \ at end of pattern"

Why is that? and how can i solve it?
Thanks a lot for answers

1 Solution

skoelpin
SplunkTrust
SplunkTrust

You should use sed to do a replace..

Show me what you currently have and what you want it to look like

It will be along the lines of this

... | rex mode=sed "s/<REGEX FROM ORIGINAL>/<REPLACE WITH>/g"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Keep adding backslashes \\ on top of the ones that you have until the error goes away. Yes, I really am serious; just like cowbells.

andrewtrobec
Motivator

Holy shit this actually worked, lol. Nice one!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should use sed to do a replace..

Show me what you currently have and what you want it to look like

It will be along the lines of this

... | rex mode=sed "s/<REGEX FROM ORIGINAL>/<REPLACE WITH>/g"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...