Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace replace strings?

saurabhkunte
Path Finder
‎07-23-2017 04:02 AM

Hello,
I have a lookup file with data in following format

name _time
srv-a.xyz.com 2017.07.23
srv-b.wxyz.com 2017.07.23

I want to replace .xyz.com with wxyz.com

My replace query does this correctly for values which end with .xyz.com. However for values ending with .wxyz.com it adds an extra . (dot) to the result.

| eval name = replace(name,".xyz.com", ".wxyz.com")
So the final output looks like :

name _time
srv-a.wxyz.com 2017.07.23
srv-b..wxyz.com 2017.07.23

why is that ? Any help on this highly appreciated. Thanks

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎07-23-2017 05:17 AM

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

View solution in original post

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-23-2017 12:13 PM

You can try this:

| replace "*.xyz.com" with "*.wxyz.com" in name
Reply
Solved! Jump to solution

jaxjohnny2000
Builder
‎07-11-2019 07:44 AM

Thank you. What if we have multiple occurrences of a string?

Windows-10-Enterprise
Windows-7-Enterprise
WindowsServer-2008-R2-Enterprise

How would we replace all the "-" characters with a space?

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎07-11-2019 08:17 AM

You would probably better be served by creating a new question.

In fact, I probably shouldn't answer this here, but the answer is the easy "exactly like you'd expect" in that replace doesn't stop at the first match. Here's a run-anywhere.

| makeresults 
| eval test1 = "WindowsServer-2008-R2-Enterprise"
| eval test2 = replace(test1, "-", "")
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-11-2019 08:11 AM

You could do |rex mode=sed field=field "s/-/ /g"

0 Karma
Reply
Solved! Jump to solution

aebrittingham
Engager
‎10-09-2018 09:29 AM

I just used this and it did exactly what I wanted, put it at the end of my search and I didn't need to add extra stuff. Hence the point from me.

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎07-23-2017 05:17 AM

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

Reply
Solved! Jump to solution

neo3779_splunk
Splunk Employee
Splunk Employee
‎08-23-2023 04:48 AM

I tried:

 

| makeresults count=10
| eval src=random().".wxyz.com"
| eval name = replace(src,".wxyz.com", ".abc.com")

 

To see how it worked.

0 Karma
Reply
Solved! Jump to solution

unitedmarsupial
Path Finder
‎12-13-2019 08:00 AM

Thanks! It really is a full regular-expression substitution (using "extended" syntax) -- with capturing groups too. You can do things like replace(Field, ".* something ([A-Za-z]+) .*", "\1"). Character-classes (like [[:alnum:]]) do not seem to work, but that's less important.

0 Karma
Reply
Solved! Jump to solution

saurabhkunte
Path Finder
‎07-24-2017 12:05 AM

Thank you Rich ! I overlooked the wildcard for any single character.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...