Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question about replace(X,Y,Z) function

Scott_Wang
Explorer
‎07-07-2020 09:14 PM

Scott_Wang_0-1594181414473.png

I'm kind of new in Splunk and found one syntax of replace when I read the official document. Here is the link https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/TextFunctions

Could you please tell me where to find the syntax like "\2/\1/"? It's my first time to see something like this, and I did not find any document about this kind of syntax.

Thanks in advance!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-07-2020 10:11 PM

It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.

Here is a simple example

|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-07-2020 09:36 PM

@Scott_Wang,

Those are regular expressions.

For the specific example, it interchanges the position of month and date

i.e

Applying 

"^(\d{1,2})/(\d{1,2})/"

on 1/14/2017 will yield 1 in 1st position and 14 in 2nd position and "\2/\1/" will result in 14/1/2017

References:

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Regex

https://docs.splunk.com/Documentation/Splunk/8.0.4/Knowledge/AboutSplunkregularexpressions

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Scott_Wang
Explorer
‎07-07-2020 09:41 PM

Hi renjith_nair,

Thanks for your reply. I understand that this command will interchange the position of month and date. But it seems the first time I see something like "\2/\1/". Could you please tell me when we could use something like that?

 

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-07-2020 10:11 PM

It's the third argument and its a reference group that are matched in the regex. So you can use it when your regex in the second argument results reference group.

Here is a simple example

|makeresults|eval text="first-second-third"|eval replacedText=replace(text,"(\w+)-(\w+)-(\w+)","\3-\2-\1")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎07-07-2020 10:10 PM

See the link from your posted link to 

https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/SPLandregularexpressions

where it discusses and provides more links about Splunk and PCRE regular expressions.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...