OK now this makes sense.  Your actual regex is not simply s/abc/def/, but something like s/^abc/def/.  In regex, "^" and "$" are anchors that do not correspond to actual characters.  Whereas "abc" is anchored at the beginning of the field "query", it may not - and often is not anchored at the beginning of _raw.

Suppose your raw event is

Splunk will give you

In this case,

| rex field=query mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//"

will give you

but

| rex mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//"

gives

Does this sound right?

In such cases, you will need to find other ways to anchor your replacements in regex.  In the above example,  "query" in the raw event is bounded by quotation marks.  So, you can use quotation marks as anchor, i.e.,

| rex mode=sed "s/\(.*?\)/./g s/\"\.+(\s+)?/\"/ s/\.\"/\"/"

 Of course, depending on actual raw events, /\(.*?\)/ could be way too broad, and quotation marks could be used in other fields that may legitimately begin or end with a dot.  So, this might be a safer choice:

| rex mode=sed "s/\"\(\d+\){1,}(\s+)?/\"/ s/\(\d+\)\"/\"/ s/\(\d+\)/./g"

When I try the two samples provided;

| rex mode=sed "s/\(.*?\)/./g s/\"\.+(\s+)?/\"/ s/\.\"/\"/"

and 

| rex mode=sed "s/\"\(\d+\){1,}(\s+)?/\"/ s/\(\d+\)\"/\"/ s/\(\d+\)/./g"

 They run without error but don't actually modify the output.  Similar to what I was seeing earlier.  

I really appreciate your help with this

Can you share more of raw data than just (3)www(6)google(3)com(0)?

Here are a few more examples;

(3)www(6)google(2)ca(0)

(7)outlook(9)office365(3)com(0)

(7)updates(4)asdf(3)com(0)

(4)test(4)test(3)com(0)

---

@secphilomath1 wrote:

Here are a few more examples;

(3)www(6)google(2)ca(0)

(7)outlook(9)office365(3)com(0)

(7)updates(4)asdf(3)com(0)

(4)test(4)test(3)com(0)

---

This is not what meant by more details of raw events because all of these can pass the original regex.  I want to see what is surrounding the RAW events, not just query field.  In other word, it is critical to know the boundary before the first "." and the last ".".  Without knowing that, volunteers are just wasting time speculating.

It is impossible that an entire raw event only contains a single string "(7)updates(4)asdf(3)com(0)". (Otherwise your original regex should have succeeded.)  Is this correct?

Also, you said somewhere earlier that you want to do this "on indexing". So what's the real issue here?

Ok, I am an idiot and apologize, I am building my experience in Splunk still.  I was outputting the results to a table but when I went to look at the raw data I see that the following is actually working!

index=wineventlog eventtype="msad-dns-debuglog"

| rex mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//"

I am getting .www.google.com in the raw data which is a lot closer than I thought I was.  I am unsure why I am still getting that leading dot, but this is something.  

you are right, I want to catch this in indexing but wanted to verify my sed logic was accurate before I did that.

---

index=wineventlog eventtype="msad-dns-debuglog"

| rex mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//"

I am getting .www.google.com in the raw data which is a lot closer than I thought I was.  I am unsure

---

You are still not illustrating what is in the raw event.  This result only suggests that

1. the targeted string (e.g., "(3)www(6)google(3)com(0)") is at the end of the line in the raw event (thus positive on s/\.$//);
2. there is some other string before the target string in the raw event (thus negative for s/^\.+(\s+)?//); and
3. the character immediately before the target string is not a quotation mark as I used to illustrate my point about anchor in regex.

If there is some guarantee that 1 is always true in eventtype mdad-dns-debuglog, it would be fine to anchor your regex against $.  But you have to show us what that leading anchor can possibly be.  By the way, using elimination of \. AFTER substitution, whether leading or trailing, is a very risky strategy because you could easily be altering parts of the raw string you don't want to alter.  It is much safer to be explicit about those "(3)", etc.

If you want to be as generic as possible but minimize the risk of undesirable alterations, this is perhaps the best approach:

| rex mode=sed "s/(\W+)\(\d+\)/\1/ s/\(\d+\)$// s/\(\d+\)(\W)/\1/ s/(\w)\(\d+\)(\w)/\1.\2/g"

Would this count as a calculated field, this is all I see in the props.conf currently for this particular field.

FIELDALIAS-query = questionname AS query

That is a field alias, not calculated field.  Based on this information, I assume that questionname is in raw events.  Do you see any event with questionname and "abc"?  I understand the need to anonymize data.  But you need to describe your data characteristics accurately.  What is the data format?  Key-value pair? JSON?  XML? Freehand?  Given a snippet of raw event, how is Splunk supposed to know how to populate questionname?

Also, does the test query return any events?

Ok, using the original data, here is a result that works.....

| makeresults
| eval _raw="(3)www(6)google(2)ca(0)"

| rex mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//"

I get 
www.google.ca