Splunk Search

How do I reverse/swap characters in a string value returned from a search?

Explorer

Hi,

If my search returns a string value of "ABCDEF"

1) How do I modify the search to reverse this value so it outputs "FEDCBA" ?

2) How do I swap characters from this value so it outputs "BADCFE" ? (1st 2 characters are being swapped)

Thanks!

1 Solution

Esteemed Legend

This does just the first 2:

... | rex field=myField mode=sed "s/(.)(.)/\2\1/" | table host

Extend the example (more (.) in the first section and more \# in the second section) to reverse longer strings.

This byteswaps an entire string of any length (every pair):

... | rex field=myField mode=sed "s/(.)(.)/\2\1/g" | table host

View solution in original post

New Member

This solution works for a fixed length string. Is there way of performing character reversal for variable length fields apart from have multiple regex's with different search and replacments lengths

|rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\10\9\8\7\6\5\4\3\2\1/"
| rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\9\8\7\6\5\4\3\2\1/"
| rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\8\7\6\5\4\3\2\1/"

0 Karma

Esteemed Legend

Post a new question.

0 Karma

Motivator

Reverse that string:

| gentimes start=-1| eval forward="ABCDEF" | eval reverse=replace(forward,"(.)(.)(.)(.)(.)(.)","\6\5\4\3\2\1")| table forward reverse

Reverse the first two characters only:

| gentimes start=-1| eval forward="ABCDEF" | eval reverse2=replace(forward,"(.)(.)","\2\1")| table forward reverse2
0 Karma

Motivator

Think of | gentimes start=-1 as your search. This just allows the demonstration of this function, but any search can replace that part. And -- of course, the | eval forward="ABCDEF" is just the setup to give us a string to work with. In a real search that would be omitted, and forward could be any field with a string in it. 🙂

0 Karma

Esteemed Legend

This does just the first 2:

... | rex field=myField mode=sed "s/(.)(.)/\2\1/" | table host

Extend the example (more (.) in the first section and more \# in the second section) to reverse longer strings.

This byteswaps an entire string of any length (every pair):

... | rex field=myField mode=sed "s/(.)(.)/\2\1/g" | table host

View solution in original post

Explorer

Hey thanks I just ran what you mentioned but its only swapping the first 2 characters.

Value to swap = 535276

Swapped value 355276

Changing the lengths doesnt seem to work?

0 Karma

SplunkTrust
SplunkTrust

Did you add the 'g' in the end as mentioed in the comment? Try this runanywhere sample search

| gentimes start=-1 | eval myField="535276" |  rex field=myField mode=sed "s/(.)(.)/\2\1/g"

Explorer

yes the g worked thanks again.

SplunkTrust
SplunkTrust

I would suggest one correction to add "g" flag in the end to do it for all characters. like s/(.)(.)/\2\1/g

SplunkTrust
SplunkTrust

Sorry guys, but this is one of the sweetest regex ever on answers! 🙂

Esteemed Legend

OK @MuS, cough up some up-vote love!

0 Karma

Explorer

ha perfect that worked. thank you both!

SplunkTrust
SplunkTrust

Don't forget to accept the answer by clicking on the Accept hyperlink below the answer.

0 Karma