Solved: Regex ignore adding underscore if there is a dash

mcarthurnick · ‎04-18-2019

Hey everyone. So what I need to do is complete the filename in one of my fields in an event. Example is this:

attachment = Filename ABC - 2019 111 CT.pdf

I am using the command: | rex mode=sed field=attachment "s/ /_/g" to replace the whitespace with underscores.

Question: How do I go about ignoring the whitespace before and after the dash. I am getting Filename_ABC_- _2019_111_CT.pdf when it needs to be Filename_ABC-2019_111_CT.pdf

Any help would be great. Thank you!

mayurr98 · ‎04-18-2019

Try this :

| makeresults 
| eval attachment="Filename ABC - 2019 111 CT.pdf" 
| eval attachment=replace(attachment,"\s-\s","-"),attachment=replace(attachment,"\s","_")

let me know if this helps!

View solution in original post

mayurr98 · ‎04-18-2019

Try this :

| makeresults 
| eval attachment="Filename ABC - 2019 111 CT.pdf" 
| eval attachment=replace(attachment,"\s-\s","-"),attachment=replace(attachment,"\s","_")

let me know if this helps!

mcarthurnick · ‎04-18-2019

This seemed to work for me. Thanks!

Can you explain to me how that works in some detail? Thank you.

mayurr98 · ‎04-18-2019

Well, it's pretty simple,

replace is a text function of eval command. It has 3 arguments say, X, Y, Z. This function returns a string formed by substituting string Z for every occurrence of regex string Y in field value X.

Find a detailed explanation here:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/TextFunctions#replace.28X.2CY.2CZ...

mcarthurnick · ‎04-19-2019

Greatly Appreciated! Thank you.

saurabhkharkar · ‎04-18-2019

Try this

| makeresults
| eval attachment="Filename ABC - 2019 111 CT.pdf"
| rex mode=sed field=attachment "s/\s-\s/-/g"
| rex mode=sed field=attachment "s/\s/_/g" 
| table attachment

Regex ignore adding underscore if there is a dash

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024