Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use sed to replace a string with value ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to replace scheduleendtime=...& with scheduleendtime=valueOf(difference) in Splunk output.
In Linux shell, this can be done using sed s/scheduleendtime=[^&]*/scheduleendtime=$difference/. When I try using same command in splunk, I fail horribly. Splunk doesn't do variable replacement in sed rather every occurrence of "scheduleendtime=[^&]*" is replaced with "scheduleendtime=$difference" exact string.
... | eval difference = case(schedule_time_diff <= 4200,"<_1_hour", schedule_time_diff < 28800, "<_8_hours", schedule_time_diff < 172800, " <_2_days") | rex mode=sed s/scheduleendtime=[^&]*/scheduleendtime=$difference/
I used sed because I am comfortable with it. If you think another command works better in this scenario, please let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your comment above:
How can i insert that value in splunk output?
Here is how you can get the output back in raw and might not need sed at all:
... | eval difference = case(schedule_time_diff <= 4200,"<_1_hour", schedule_time_diff < 28800, "<_8_hours", schedule_time_diff < 172800, " <_2_days")
| rex "^(?<headOfText>.*scheduleendtime=)[^&]*(?<tailOfText>\&.*)"
| eval _raw=headOfText.difference.tailOfText
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your comment above:
How can i insert that value in splunk output?
Here is how you can get the output back in raw and might not need sed at all:
... | eval difference = case(schedule_time_diff <= 4200,"<_1_hour", schedule_time_diff < 28800, "<_8_hours", schedule_time_diff < 172800, " <_2_days")
| rex "^(?<headOfText>.*scheduleendtime=)[^&]*(?<tailOfText>\&.*)"
| eval _raw=headOfText.difference.tailOfText
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @gokadroid. This works like a charm.
BTW, you missed a quote at the end of 3rd line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
damn...I need to go to get my eyes checked up.. thanks man...editing the rex piece. An upvote will help a lot too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not just set scheduleendtimetodifferenceusingeval...eval scheduleendtime=difference`.?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would create a variable named scheduleendtime and it would hold value of difference.
How can i insert that value in splunk output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about replace() function. Here's a simple example on how you might be able to use it
| makeresults
| eval searchtime="sometext&somemoretext"
| eval difference="123456"
| eval searchtime=replace(searchtime, "^([^&]+)", difference)
| table searchtime difference
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
