Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my regex to replace a number 0-9?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smaran06
Path Finder
05-22-2017
12:07 PM
Hi Team,
I have requirement, where I need to replace a series of numbers with something like this a/b/c/123456 with a/b/c{Id}.
When I use regex and use \d its replacing each and every decimal number with {Id} something like this a/b/c/{Id}{Id}{Id}{Id}{Id}{Id}.
I want something like a/b/c{Id}, can you let me know how this can be achieved.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-22-2017
05:10 PM
Like this:
|makeresults | eval raw="a/b/c/464646/d/e/242442424"
| rename COMMENT AS "Everything above fakes your data; everything below is your solution"
| rex field=raw mode=sed "s%/\d+/%/536RTYWW876Y788U998/% ... s%/\d+/%/536RTYWW876Y788U998/%"
Replace ... with as many additional iterations as you need of the sed command string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-22-2017
05:10 PM
Like this:
|makeresults | eval raw="a/b/c/464646/d/e/242442424"
| rename COMMENT AS "Everything above fakes your data; everything below is your solution"
| rex field=raw mode=sed "s%/\d+/%/536RTYWW876Y788U998/% ... s%/\d+/%/536RTYWW876Y788U998/%"
Replace ... with as many additional iterations as you need of the sed command string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smaran06
Path Finder
05-24-2017
02:03 PM
Thanks this is super helpful, I am able to reduce my spunk query to lot better state.
One last question how this can be achived in case of Alpha Numeric.
I tried something like this.
|rex field=Path mode=sed "s/\w+\d+/{Id}/"
It didn't, help me, please let me know, if I am doing anything wrong here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-25-2017
01:29 PM
So you are saying that your {Id} strings do contain numbers/digits? If so, is it really surrounded by the literal curly-brace characters { and } (that will make the modified solution easier)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smaran06
Path Finder
05-25-2017
11:07 PM
actually my string won't contain any curly braces, it looks like this.
536RTYWW876Y788U998
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-26-2017
10:07 AM
OK, I updated my answer to accommodate your replacement strings; try it now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-22-2017
02:12 PM
Like this:
|makeresults | eval raw="a/b/c/1234567"
| rename COMMENT AS "Everything above fakes your data; everything below is your solution"
| rex field=raw mode=sed "s%a/b/c/\\d+%a/b/c/{ld}%"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-22-2017
12:41 PM
Try like this
your base search | rex mode=sed field=yourfield "s/(\d+)/{Id}/"
OR
your base search | eval yourfield=replace(yourfield,"(\d+)","{Id}")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smaran06
Path Finder
05-22-2017
04:51 PM
Thanks, this works, can you please let me know, if we need to replace all such formats like below.
a/b/c/464646/d/e/242442424
I want output like this
a/b/c/{Id1}/d/e/{Id2}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-22-2017
05:03 PM
You really should be clear from the get-go. This is a very different request.
Get Updates on the Splunk Community!
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
