Splunk Search

Regex ignore adding underscore if there is a dash

mcarthurnick
New Member

Hey everyone. So what I need to do is complete the filename in one of my fields in an event. Example is this:

attachment = Filename ABC - 2019 111 CT.pdf

I am using the command: | rex mode=sed field=attachment "s/ /_/g" to replace the whitespace with underscores.

Question: How do I go about ignoring the whitespace before and after the dash. I am getting Filename_ABC_- _2019_111_CT.pdf when it needs to be Filename_ABC-2019_111_CT.pdf

Any help would be great. Thank you!

0 Karma
1 Solution

mayurr98
Super Champion

Try this :

| makeresults 
| eval attachment="Filename ABC - 2019 111 CT.pdf" 
| eval attachment=replace(attachment,"\s-\s","-"),attachment=replace(attachment,"\s","_")

let me know if this helps!

View solution in original post

0 Karma

mayurr98
Super Champion

Try this :

| makeresults 
| eval attachment="Filename ABC - 2019 111 CT.pdf" 
| eval attachment=replace(attachment,"\s-\s","-"),attachment=replace(attachment,"\s","_")

let me know if this helps!

0 Karma

mcarthurnick
New Member

This seemed to work for me. Thanks!

Can you explain to me how that works in some detail? Thank you.

0 Karma

mayurr98
Super Champion

Well, it's pretty simple,

replace is a text function of eval command. It has 3 arguments say, X, Y, Z. This function returns a string formed by substituting string Z for every occurrence of regex string Y in field value X.

Find a detailed explanation here:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/TextFunctions#replace.28X.2CY.2CZ...

0 Karma

mcarthurnick
New Member

Greatly Appreciated! Thank you.

0 Karma

saurabhkharkar
Path Finder
Try this

| makeresults
| eval attachment="Filename ABC - 2019 111 CT.pdf"
| rex mode=sed field=attachment "s/\s-\s/-/g"
| rex mode=sed field=attachment "s/\s/_/g" 
| table attachment
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...