Solved: How can I replace Parenthesis in a URL field with ...

yossefn · ‎06-18-2020

Hi,

I have a DNS logs with Parenthesis + numbers instead of Dots in the URL filed.

How can I replace them with a Dots?

Below are some examples from the logs.

(5)_ldap(4)_tcp(5)cmp(6)_sites(3)rub(3)net(2)oz(0)
(4)wpad(3)rub(3)net(0)
(5)_ldap(4)_tcp(2)dc(6)_msdcs(9)dc(7)core(2)t4(3)rub(3)net(0)

Thank you!

richgalloway · ‎06-18-2020

Use SED.

| makeresults | eval data="(5)_ldap(4)_tcp(5)cmp(6)_sites(3)rub(3)net(2)oz(0)
(4)wpad(3)rub(3)net(0)
(5)_ldap(4)_tcp(2)dc(6)_msdcs(9)dc(7)core(2)t4(3)rub(3)net(0)"
| rex field=data mode=sed "s/(\(\d+)\)/./g"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-18-2020

Use SED.

| makeresults | eval data="(5)_ldap(4)_tcp(5)cmp(6)_sites(3)rub(3)net(2)oz(0)
(4)wpad(3)rub(3)net(0)
(5)_ldap(4)_tcp(2)dc(6)_msdcs(9)dc(7)core(2)t4(3)rub(3)net(0)"
| rex field=data mode=sed "s/(\(\d+)\)/./g"

---
If this reply helps you, Karma would be appreciated.

yossefn · ‎06-18-2020

Wow, that was fast 🙂

Thanks @richgalloway for the solution!

How can I replace Parenthesis in a URL field with Dots?

eval

regex

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?