Splunk Search
Highlighted

Regex ignore adding underscore if there is a dash

New Member

Hey everyone. So what I need to do is complete the filename in one of my fields in an event. Example is this:

attachment = Filename ABC - 2019 111 CT.pdf

I am using the command: | rex mode=sed field=attachment "s/ /_/g" to replace the whitespace with underscores.

Question: How do I go about ignoring the whitespace before and after the dash. I am getting FilenameABC- 2019111_CT.pdf when it needs to be FilenameABC-2019111_CT.pdf

Any help would be great. Thank you!

0 Karma
Highlighted

Re: Regex ignore adding underscore if there is a dash

Path Finder
Try this

| makeresults
| eval attachment="Filename ABC - 2019 111 CT.pdf"
| rex mode=sed field=attachment "s/\s-\s/-/g"
| rex mode=sed field=attachment "s/\s/_/g" 
| table attachment
0 Karma
Highlighted

Re: Regex ignore adding underscore if there is a dash

SplunkTrust
SplunkTrust

Try this :

| makeresults 
| eval attachment="Filename ABC - 2019 111 CT.pdf" 
| eval attachment=replace(attachment,"\s-\s","-"),attachment=replace(attachment,"\s","_")

let me know if this helps!

View solution in original post

0 Karma
Highlighted

Re: Regex ignore adding underscore if there is a dash

New Member

This seemed to work for me. Thanks!

Can you explain to me how that works in some detail? Thank you.

0 Karma
Highlighted

Re: Regex ignore adding underscore if there is a dash

SplunkTrust
SplunkTrust

Well, it's pretty simple,

replace is a text function of eval command. It has 3 arguments say, X, Y, Z. This function returns a string formed by substituting string Z for every occurrence of regex string Y in field value X.

Find a detailed explanation here:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/TextFunctions#replace.28X.2CY.2CZ...

0 Karma
Highlighted

Re: Regex ignore adding underscore if there is a dash

New Member

Greatly Appreciated! Thank you.

0 Karma