Splunk Search

Question about replace(X,Y,Z) function

Scott_Wang
Explorer

Scott_Wang_0-1594181414473.png

I'm kind of new in Splunk and found one syntax of replace when I read the official document. Here is the link https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/TextFunctions

Could you please tell me where to find the syntax like "\2/\1/"? It's my first time to see something like this, and I did not find any document about this kind of syntax.

Thanks in advance!

 

Labels (1)
0 Karma
1 Solution

renjith_nair
Legend

It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.

Here is a simple example

|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

@Scott_Wang,

Those are regular expressions.

For the specific example, it interchanges the position of month and date

i.e

Applying 

"^(\d{1,2})/(\d{1,2})/"

on 1/14/2017 will yield 1 in 1st position and 14 in 2nd position and "\2/\1/" will result in 14/1/2017

References:

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Regex

https://docs.splunk.com/Documentation/Splunk/8.0.4/Knowledge/AboutSplunkregularexpressions

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

Scott_Wang
Explorer

Hi renjith_nair,

Thanks for your reply. I understand that this command will interchange the position of month and date. But it seems the first time I see something like "\2/\1/". Could you please tell me when we could use something like that?

 

0 Karma

renjith_nair
Legend

It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.

Here is a simple example

|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

bowesmana
SplunkTrust
SplunkTrust

See the link from your posted link to 

https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/SPLandregularexpressions

where it discusses and provides more links about Splunk and PCRE regular expressions.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...