Splunk Search

Question about replace(X,Y,Z) function

Scott_Wang
Explorer

Scott_Wang_0-1594181414473.png

I'm kind of new in Splunk and found one syntax of replace when I read the official document. Here is the link https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/TextFunctions

Could you please tell me where to find the syntax like "\2/\1/"? It's my first time to see something like this, and I did not find any document about this kind of syntax.

Thanks in advance!

 

Labels (1)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.

Here is a simple example

|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")

 

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@Scott_Wang,

Those are regular expressions.

For the specific example, it interchanges the position of month and date

i.e

Applying 

"^(\d{1,2})/(\d{1,2})/"

on 1/14/2017 will yield 1 in 1st position and 14 in 2nd position and "\2/\1/" will result in 14/1/2017

References:

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Regex

https://docs.splunk.com/Documentation/Splunk/8.0.4/Knowledge/AboutSplunkregularexpressions

 

Scott_Wang
Explorer

Hi renjith_nair,

Thanks for your reply. I understand that this command will interchange the position of month and date. But it seems the first time I see something like "\2/\1/". Could you please tell me when we could use something like that?

 

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.

Here is a simple example

|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")

 

View solution in original post

bowesmana
Champion

See the link from your posted link to 

https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/SPLandregularexpressions

where it discusses and provides more links about Splunk and PCRE regular expressions.

0 Karma