Splunk Search

How do I reverse/swap characters in a string value returned from a search?

Explorer

Hi,

If my search returns a string value of "ABCDEF"

1) How do I modify the search to reverse this value so it outputs "FEDCBA" ?

2) How do I swap characters from this value so it outputs "BADCFE" ? (1st 2 characters are being swapped)

Thanks!

1 Solution

Esteemed Legend

This does just the first 2:

... | rex field=myField mode=sed "s/(.)(.)/\2\1/" | table host

Extend the example (more (.) in the first section and more \# in the second section) to reverse longer strings.

This byteswaps an entire string of any length (every pair):

... | rex field=myField mode=sed "s/(.)(.)/\2\1/g" | table host

View solution in original post

New Member

This solution works for a fixed length string. Is there way of performing character reversal for variable length fields apart from have multiple regex's with different search and replacments lengths

|rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\10\9\8\7\6\5\4\3\2\1/"
| rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\9\8\7\6\5\4\3\2\1/"
| rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\8\7\6\5\4\3\2\1/"

0 Karma

Esteemed Legend

Post a new question.

0 Karma

Motivator

Reverse that string:

| gentimes start=-1| eval forward="ABCDEF" | eval reverse=replace(forward,"(.)(.)(.)(.)(.)(.)","\6\5\4\3\2\1")| table forward reverse

Reverse the first two characters only:

| gentimes start=-1| eval forward="ABCDEF" | eval reverse2=replace(forward,"(.)(.)","\2\1")| table forward reverse2
0 Karma

Motivator

Think of | gentimes start=-1 as your search. This just allows the demonstration of this function, but any search can replace that part. And -- of course, the | eval forward="ABCDEF" is just the setup to give us a string to work with. In a real search that would be omitted, and forward could be any field with a string in it. 🙂

0 Karma

Esteemed Legend

This does just the first 2:

... | rex field=myField mode=sed "s/(.)(.)/\2\1/" | table host

Extend the example (more (.) in the first section and more \# in the second section) to reverse longer strings.

This byteswaps an entire string of any length (every pair):

... | rex field=myField mode=sed "s/(.)(.)/\2\1/g" | table host

View solution in original post

Explorer

Hey thanks I just ran what you mentioned but its only swapping the first 2 characters.

Value to swap = 535276

Swapped value 355276

Changing the lengths doesnt seem to work?

0 Karma

Revered Legend

Did you add the 'g' in the end as mentioed in the comment? Try this runanywhere sample search

| gentimes start=-1 | eval myField="535276" |  rex field=myField mode=sed "s/(.)(.)/\2\1/g"

Explorer

yes the g worked thanks again.

Revered Legend

I would suggest one correction to add "g" flag in the end to do it for all characters. like s/(.)(.)/\2\1/g

SplunkTrust
SplunkTrust

Sorry guys, but this is one of the sweetest regex ever on answers! 🙂

Esteemed Legend

OK @MuS, cough up some up-vote love!

0 Karma

Explorer

ha perfect that worked. thank you both!

Revered Legend

Don't forget to accept the answer by clicking on the Accept hyperlink below the answer.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!