Solved: Re: How to edit my regex to replace a number 0-9?

smaran06 · ‎05-22-2017

Hi Team,

I have requirement, where I need to replace a series of numbers with something like this a/b/c/123456 with a/b/c{Id}.

When I use regex and use \d its replacing each and every decimal number with {Id} something like this a/b/c/{Id}{Id}{Id}{Id}{Id}{Id}.

I want something like a/b/c{Id}, can you let me know how this can be achieved.

woodcock · ‎05-22-2017

Like this:

|makeresults | eval raw="a/b/c/464646/d/e/242442424"

| rename COMMENT AS "Everything above fakes your data; everything below is your solution"

| rex field=raw mode=sed "s%/\d+/%/536RTYWW876Y788U998/% ... s%/\d+/%/536RTYWW876Y788U998/%"

Replace ... with as many additional iterations as you need of the sed command string.

View solution in original post

woodcock · ‎05-22-2017

Like this:

|makeresults | eval raw="a/b/c/464646/d/e/242442424"

| rename COMMENT AS "Everything above fakes your data; everything below is your solution"

| rex field=raw mode=sed "s%/\d+/%/536RTYWW876Y788U998/% ... s%/\d+/%/536RTYWW876Y788U998/%"

Replace ... with as many additional iterations as you need of the sed command string.

smaran06 · ‎05-24-2017

Thanks this is super helpful, I am able to reduce my spunk query to lot better state.

One last question how this can be achived in case of Alpha Numeric.

I tried something like this.

|rex field=Path mode=sed "s/\w+\d+/{Id}/"

It didn't, help me, please let me know, if I am doing anything wrong here

woodcock · ‎05-25-2017

So you are saying that your {Id} strings do contain numbers/digits? If so, is it really surrounded by the literal curly-brace characters { and } (that will make the modified solution easier)?

smaran06 · ‎05-25-2017

actually my string won't contain any curly braces, it looks like this.

536RTYWW876Y788U998

woodcock · ‎05-26-2017

OK, I updated my answer to accommodate your replacement strings; try it now.

woodcock · ‎05-22-2017

Like this:

|makeresults | eval raw="a/b/c/1234567"

| rename COMMENT AS "Everything above fakes your data; everything below is your solution"

| rex field=raw mode=sed "s%a/b/c/\\d+%a/b/c/{ld}%"

somesoni2 · ‎05-22-2017

Try like this

your base search | rex mode=sed field=yourfield "s/(\d+)/{Id}/"

OR

your base search | eval yourfield=replace(yourfield,"(\d+)","{Id}")

smaran06 · ‎05-22-2017

Thanks, this works, can you please let me know, if we need to replace all such formats like below.

a/b/c/464646/d/e/242442424

I want output like this

a/b/c/{Id1}/d/e/{Id2}

woodcock · ‎05-22-2017

You really should be clear from the get-go. This is a very different request.

How to edit my regex to replace a number 0-9?

Developer Spotlight with William Searle

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to edit my regex to replace a number 0-9?

Developer Spotlight with William Searle

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!