Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question about replace(X,Y,Z) function

Scott_Wang
Explorer
‎07-07-2020 09:14 PM

Scott_Wang_0-1594181414473.png

I'm kind of new in Splunk and found one syntax of replace when I read the official document. Here is the link https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/TextFunctions

Could you please tell me where to find the syntax like "\2/\1/"? It's my first time to see something like this, and I did not find any document about this kind of syntax.

Thanks in advance!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-07-2020 10:11 PM

It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.

Here is a simple example

|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-07-2020 09:36 PM

@Scott_Wang,

Those are regular expressions.

For the specific example, it interchanges the position of month and date

i.e

Applying 

"^(\d{1,2})/(\d{1,2})/"

on 1/14/2017 will yield 1 in 1st position and 14 in 2nd position and "\2/\1/" will result in 14/1/2017

References:

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Regex

https://docs.splunk.com/Documentation/Splunk/8.0.4/Knowledge/AboutSplunkregularexpressions

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Scott_Wang
Explorer
‎07-07-2020 09:41 PM

Hi renjith_nair,

Thanks for your reply. I understand that this command will interchange the position of month and date. But it seems the first time I see something like "\2/\1/". Could you please tell me when we could use something like that?

 

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-07-2020 10:11 PM

It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.

Here is a simple example

|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎07-07-2020 10:10 PM

See the link from your posted link to 

https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/SPLandregularexpressions

where it discusses and provides more links about Splunk and PCRE regular expressions.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...