Splunk Search

How to replace replace strings?

saurabhkunte
Path Finder

Hello,
I have a lookup file with data in following format

name _time
srv-a.xyz.com 2017.07.23
srv-b.wxyz.com 2017.07.23

I want to replace .xyz.com with wxyz.com

My replace query does this correctly for values which end with .xyz.com. However for values ending with .wxyz.com it adds an extra . (dot) to the result.

| eval name = replace(name,".xyz.com", ".wxyz.com")
So the final output looks like :

name _time
srv-a.wxyz.com 2017.07.23
srv-b..wxyz.com 2017.07.23

why is that ? Any help on this highly appreciated. Thanks

Labels (1)
1 Solution

Richfez
SplunkTrust
SplunkTrust

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

View solution in original post

cmerriman
Super Champion

You can try this:

| replace "*.xyz.com" with "*.wxyz.com" in name

jaxjohnny2000
Builder

Thank you. What if we have multiple occurrences of a string?

Windows-10-Enterprise
Windows-7-Enterprise
WindowsServer-2008-R2-Enterprise

How would we replace all the "-" characters with a space?

0 Karma

Richfez
SplunkTrust
SplunkTrust

You would probably better be served by creating a new question.

In fact, I probably shouldn't answer this here, but the answer is the easy "exactly like you'd expect" in that replace doesn't stop at the first match. Here's a run-anywhere.

| makeresults 
| eval test1 = "WindowsServer-2008-R2-Enterprise"
| eval test2 = replace(test1, "-", "")

cmerriman
Super Champion

You could do |rex mode=sed field=field "s/-/ /g"

0 Karma

aebrittingham
Engager

I just used this and it did exactly what I wanted, put it at the end of my search and I didn't need to add extra stuff. Hence the point from me.

Richfez
SplunkTrust
SplunkTrust

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

neo3779_splunk
Splunk Employee
Splunk Employee

I tried:

 

| makeresults count=10
| eval src=random().".wxyz.com"
| eval name = replace(src,".wxyz.com", ".abc.com")

 

To see how it worked.

0 Karma

unitedmarsupial
Path Finder

Thanks! It really is a full regular-expression substitution (using "extended" syntax) -- with capturing groups too. You can do things like replace(Field, ".* something ([A-Za-z]+) .*", "\1"). Character-classes (like [[:alnum:]]) do not seem to work, but that's less important.

0 Karma

saurabhkunte
Path Finder

Thank you Rich ! I overlooked the wildcard for any single character.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...