Solved: Re: How to edit my rex command to replace a string...

chintan_shah · ‎05-11-2017

Hi,
I want to replace the string "\x00" with spaces.
"CP REQUESTED \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" and i tried below commands but it didn't work.

rex mode=sed field=EXCP_MSG "s/\\x00/ /g"
replace \\x00 WITH " " IN EXCP_MSG|stats count  by EXCP_MSG

Can anyone help me and also which command is better to use?

woodcock · ‎05-11-2017

The first rule of RegEx and backslashes: if at first you don't succeed, add another backslash:

| makeresults 
| eval EXCP_MSG="CP REQUESTED \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution"

| rex mode=sed field=EXCP_MSG "s/\\\\x00/ /g"

View solution in original post

woodcock · ‎05-11-2017

The first rule of RegEx and backslashes: if at first you don't succeed, add another backslash:

| makeresults 
| eval EXCP_MSG="CP REQUESTED \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution"

| rex mode=sed field=EXCP_MSG "s/\\\\x00/ /g"

chintan_shah · ‎05-11-2017

Thanks Woodcock

How to edit my rex command to replace a string?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to edit my rex command to replace a string?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!