Splunk Search

How to remove \ (backslash) using from URLs rex sed?

ccsfdave
Builder

I am trying to remove the escaped characters of "\" from the URLs coming in via a Twitter REST feed. Does anyone have the secret sauce for forming a rex field= mode=sed?

Sample URL: http:\/\/pbs.twimg.com\/media\/CoyGo5cUsAEmIZF.jpg

Thanks!

0 Karma
1 Solution

gabriel_vasseur
Contributor

This works for me in the search window:

| eval yourfieldname=replace(yourfieldname,"\\\\(.)","\1")

EDIT: a few words of explanation... the string "\\\\(.)" actually corresponds to the regex \\(.) which will match a single backslash followed by any character. The backslash has to be escaped once for the regex and another time to be in a double-quoted string, hence why one becomes four. If you're using the regex in a .conf file, depending how you do it, you don't need to escape it twice. Hope that helps.

NOTE: the advantage of that approach is that if your raw data has an escaped backslash (i.e. two backslashes in a row), it will do the right thing and replace it with one backslash rather than blindly removing all backslashes.

NOTE: this is probably also possible using sed.

View solution in original post

Jeremiah
Motivator

Try this:

| gentimes start=-1 | eval url="http:\/\/pbs.twimg.com\/media\/CoyGo5cUsAEmIZF.jpg"  | rex mode=sed field=url "s/\\\//g"

You may also need to use the urldecode command for some urls (|eval url=urldecode(url)).

ccsfdave
Builder

This worked as well! two ways to skin this one! thanks!

0 Karma

gabriel_vasseur
Contributor

This works for me in the search window:

| eval yourfieldname=replace(yourfieldname,"\\\\(.)","\1")

EDIT: a few words of explanation... the string "\\\\(.)" actually corresponds to the regex \\(.) which will match a single backslash followed by any character. The backslash has to be escaped once for the regex and another time to be in a double-quoted string, hence why one becomes four. If you're using the regex in a .conf file, depending how you do it, you don't need to escape it twice. Hope that helps.

NOTE: the advantage of that approach is that if your raw data has an escaped backslash (i.e. two backslashes in a row), it will do the right thing and replace it with one backslash rather than blindly removing all backslashes.

NOTE: this is probably also possible using sed.

wolanm1
Explorer

Over 4 years later and this post still helped me solve my problem! Thank you!

0 Karma

ccsfdave
Builder

this worked, thanks!

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...