How do I replace '," with ";" between a bracket?

jianyu75074 · ‎01-01-2019

I have raw data:

IMS,CSCF1,,,{REGISTER,19728881234@domain.com;user=phone,200},,{PUBLISH,19728881234@domain.com;user=phone,200}

I want the results as below. The field positions are fixed. Each interface field may present with value or not:

(null)
field1 is node type = "IMS"
field2 is node name = CSCF1
field3 is interface1 = null here
field4 is interface2 = null here
field5 is interface3 = "{REGISTER,19728881234@domain.com;user=phone,200}"
field6 is interface4 = null here
field7 is interface5 = "{PUBLISH,19728881234@domain.com;user=phone,200}"

I am going to do field extraction with delimiter ",". My problem is there is "," inside of interface field. If I can replace "," with ";" e.g. "{REGISTER;19728881234@domain.com;user=phone];200}", then I think I can delimit it.

So, my question is, how do I change my original data to:

IMS,CSCF1,,,{REGISTER;19728881234@domain.com;user=phone;200},,{PUBLISH;19728881234@domain.com;user=phone;200}

Or do you have a better suggestion? Thank you very much!

MousumiChowdhur · ‎01-02-2019

Hi @jianyu75074 ,

You may use the below regex to extract the field values instead of using delimiter.

<your search> | rex "(?P<nodetype>\w+[^\,]+),(?P<nodename>\w+[^\,]+),(?P<interface1>[^\,]*),(?P<interface2>[^\,]*),(?P<interface3>\{.*?\}),(?P<interface4>[^\,]*),(?P<interfce5>\{.*?\})"

Thank You!

sdchakraborty · ‎01-02-2019

Hi,
Can you try the below rex and see whether it resolves your query, I have given an example search too,

| makeresults 
| eval str = "IMS,CSCF1,,,{REGISTER,19728881234@domain.com;user=phone,200},,{PUBLISH,19728881234@domain.com;user=phone,200}"
| rex field=str "(?<node_type>\w*),(?<node_name>\w*),(?<interface1>{.*})?,(?<interface2>{.*})?,(?<interface3>{.*})?,(?<interface4>{.*})?,(?<interface5>{.*})?"

Sid

How do I replace '," with ";" between a bracket?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes