Splunk Search

How to replace replace strings?

saurabhkunte
Path Finder

Hello,
I have a lookup file with data in following format

name _time
srv-a.xyz.com 2017.07.23
srv-b.wxyz.com 2017.07.23

I want to replace .xyz.com with wxyz.com

My replace query does this correctly for values which end with .xyz.com. However for values ending with .wxyz.com it adds an extra . (dot) to the result.

| eval name = replace(name,".xyz.com", ".wxyz.com")
So the final output looks like :

name _time
srv-a.wxyz.com 2017.07.23
srv-b..wxyz.com 2017.07.23

why is that ? Any help on this highly appreciated. Thanks

Labels (1)
1 Solution

Richfez
SplunkTrust
SplunkTrust

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

View solution in original post

cmerriman
Super Champion

You can try this:

| replace "*.xyz.com" with "*.wxyz.com" in name

jaxjohnny2000
Builder

Thank you. What if we have multiple occurrences of a string?

Windows-10-Enterprise
Windows-7-Enterprise
WindowsServer-2008-R2-Enterprise

How would we replace all the "-" characters with a space?

0 Karma

Richfez
SplunkTrust
SplunkTrust

You would probably better be served by creating a new question.

In fact, I probably shouldn't answer this here, but the answer is the easy "exactly like you'd expect" in that replace doesn't stop at the first match. Here's a run-anywhere.

| makeresults 
| eval test1 = "WindowsServer-2008-R2-Enterprise"
| eval test2 = replace(test1, "-", "")

cmerriman
Super Champion

You could do |rex mode=sed field=field "s/-/ /g"

0 Karma

aebrittingham
Engager

I just used this and it did exactly what I wanted, put it at the end of my search and I didn't need to add extra stuff. Hence the point from me.

Richfez
SplunkTrust
SplunkTrust

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

neo3779_splunk
Splunk Employee
Splunk Employee

I tried:

 

| makeresults count=10
| eval src=random().".wxyz.com"
| eval name = replace(src,".wxyz.com", ".abc.com")

 

To see how it worked.

0 Karma

unitedmarsupial
Path Finder

Thanks! It really is a full regular-expression substitution (using "extended" syntax) -- with capturing groups too. You can do things like replace(Field, ".* something ([A-Za-z]+) .*", "\1"). Character-classes (like [[:alnum:]]) do not seem to work, but that's less important.

0 Karma

saurabhkunte
Path Finder

Thank you Rich ! I overlooked the wildcard for any single character.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...