Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace all "confusable" characters in field in data model?

jasmartin
Explorer
‎03-21-2023 08:59 AM

Hello, I am attempting to replace a large unwieldy macro with a data model. Part of the macro is a rex command that finds what we call "confusable characters" that are the highbit versions of ASCII characters, like 𝟐 or ꓜ, and replaces them with the ASCII versions (2 or Z respectively), like this:

rex field=$arg1$ mode=sed "y/𝟐𝟚𝟤𝟮𝟸ꝚƧϨꙄᒿꛯ/22222222222/"

The actual macro is much longer and encompasses all numbers and letters.

I have been having difficultly figuring out how to incorporate this into the data model. I've been able to use a CSV lookup like this:

char_search,old_char,new_char
*𝟐*,𝟐,2
*ꓜ*,ꓜ,Z

Make char_search a wildcard match field, and use this query:

| makeresults
| eval t="dfasdf𝟐𝟐"
| lookup CSVconfusables char_search as t OUTPUT
| eval u=replace(t,old_char,new_char)

It works find with 1 character to replace, but when there are multiple to replace, the lookup output fields become multivalue and replace doesn't work:

| makeresults
| eval t="ꓜdfasdf𝟐𝟐"
| lookup CSVconfusables char_search as t OUTPUT
| eval u=replace(t,old_char,new_char)

Is there any way to accomplish what the macro is doing in a data model? Thanks in advance!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-21-2023 03:16 PM

@richgalloway's idea was close. If I understand you well, you need something like

 

| eval arg1=replace(arg1,"[𝟐𝟚𝟤𝟮𝟸ꝚƧϨꙄᒿꛯ]","2")

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-21-2023 12:27 PM

Since the replace function uses regular expressions as does rex, have you tried putting the expressions from the macro into the DM?

| eval arg1=replace(arg1,"𝟐𝟚𝟤𝟮𝟸ꝚƧϨꙄᒿꛯ","22222222222")

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jasmartin
Explorer
‎03-21-2023 12:47 PM

Hi richgalloway , unfortunately that doesn't do what I need it to do. replace searches for the whole given string to replace. I want to do what sed does with "y/", where it's a one-on-one replacement.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-21-2023 03:16 PM

@richgalloway's idea was close. If I understand you well, you need something like

 

| eval arg1=replace(arg1,"[𝟐𝟚𝟤𝟮𝟸ꝚƧϨꙄᒿꛯ]","2")

 

Reply
Solved! Jump to solution

jasmartin
Explorer
‎03-22-2023 03:44 AM

That will work, thank you!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...