Solved: Re: How do I reverse/swap characters in a string v...

ajay_mk · ‎09-11-2015

Hi,

If my search returns a string value of "ABCDEF"

1) How do I modify the search to reverse this value so it outputs "FEDCBA" ?

2) How do I swap characters from this value so it outputs "BADCFE" ? (1st 2 characters are being swapped)

Thanks!

woodcock · ‎09-11-2015

This does just the first 2:

... | rex field=myField mode=sed "s/(.)(.)/\2\1/" | table host

Extend the example (more (.) in the first section and more \# in the second section) to reverse longer strings.

This byteswaps an entire string of any length (every pair):

... | rex field=myField mode=sed "s/(.)(.)/\2\1/g" | table host

View solution in original post

jhuysing · ‎07-22-2019

This solution works for a fixed length string. Is there way of performing character reversal for variable length fields apart from have multiple regex's with different search and replacments lengths

|rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\10\9\8\7\6\5\4\3\2\1/"
| rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\9\8\7\6\5\4\3\2\1/"
| rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\8\7\6\5\4\3\2\1/"

woodcock · ‎07-23-2019

Post a new question.

wrangler2x · ‎11-06-2015

Reverse that string:

| gentimes start=-1| eval forward="ABCDEF" | eval reverse=replace(forward,"(.)(.)(.)(.)(.)(.)","\6\5\4\3\2\1")| table forward reverse

Reverse the first two characters only:

| gentimes start=-1| eval forward="ABCDEF" | eval reverse2=replace(forward,"(.)(.)","\2\1")| table forward reverse2

wrangler2x · ‎11-06-2015

Think of | gentimes start=-1 as your search. This just allows the demonstration of this function, but any search can replace that part. And -- of course, the | eval forward="ABCDEF" is just the setup to give us a string to work with. In a real search that would be omitted, and forward could be any field with a string in it. 🙂

woodcock · ‎09-11-2015

This does just the first 2:

... | rex field=myField mode=sed "s/(.)(.)/\2\1/" | table host

Extend the example (more (.) in the first section and more \# in the second section) to reverse longer strings.

This byteswaps an entire string of any length (every pair):

... | rex field=myField mode=sed "s/(.)(.)/\2\1/g" | table host

ajay_mk · ‎09-11-2015

Hey thanks I just ran what you mentioned but its only swapping the first 2 characters.

Value to swap = 535276

Swapped value 355276

Changing the lengths doesnt seem to work?

somesoni2 · ‎09-11-2015

Did you add the 'g' in the end as mentioed in the comment? Try this runanywhere sample search

| gentimes start=-1 | eval myField="535276" |  rex field=myField mode=sed "s/(.)(.)/\2\1/g"

ajay_mk · ‎09-11-2015

yes the g worked thanks again.

somesoni2 · ‎09-11-2015

I would suggest one correction to add "g" flag in the end to do it for all characters. like s/(.)(.)/\2\1/g

MuS · ‎09-12-2015

Sorry guys, but this is one of the sweetest regex ever on answers! 🙂

woodcock · ‎09-16-2015

OK @MuS, cough up some up-vote love!

ajay_mk · ‎09-11-2015

ha perfect that worked. thank you both!

somesoni2 · ‎09-11-2015

Don't forget to accept the answer by clicking on the Accept hyperlink below the answer.

How do I reverse/swap characters in a string value returned from a search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation