I'm kind of new in Splunk and found one syntax of replace when I read the official document. Here is the link https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/TextFunctions.
Could you please tell me where to find the syntax like "\2/\1/"? It's my first time to see something like this, and I did not find any document about this kind of syntax.
Thanks in advance!
It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.
Here is a simple example
|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")
Those are regular expressions.
For the specific example, it interchanges the position of month and date
i.e
Applying
"^(\d{1,2})/(\d{1,2})/"
on 1/14/2017 will yield 1 in 1st position and 14 in 2nd position and "\2/\1/" will result in 14/1/2017
References:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Regex
https://docs.splunk.com/Documentation/Splunk/8.0.4/Knowledge/AboutSplunkregularexpressions
Hi renjith_nair,
Thanks for your reply. I understand that this command will interchange the position of month and date. But it seems the first time I see something like "\2/\1/". Could you please tell me when we could use something like that?
It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.
Here is a simple example
|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")
See the link from your posted link to
https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/SPLandregularexpressions
where it discusses and provides more links about Splunk and PCRE regular expressions.