Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to insert ":" after every second character

coenvandijk
Observer
‎08-12-2017 06:18 AM

Hello

I have a string of all uppercase letters (no digits) I need a regex to insert a ":" after every second character FAGHIJGN becomes FA:GH:IJ:GN How can I do this with a regex?

Thanks in advance,
Coen

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-12-2017 04:13 PM

If with search:

| rex mode=sed "s/(\w{2})(?=\w{1,2})/\1:/g"

If with props:

 SEDCMD-aaa = s/(\w{2})(?=\w{1,2})/\1:/g

These work too:

| rex mode=sed "s/(\w{2})(?=\w+)/\1:/g"

SEDCMD-aaa = s/(\w{2})(?=\w+)/\1:/g

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-12-2017 08:31 PM

Like this:

... | rex field=YourFieldNameHere mode=sed "s/(.{2})/\1:/g s/:$//"
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-13-2017 01:36 PM

@woodcock - Holy crud, sed mode allows multiple replacements in a single call?

That would simplify the ... presentation, lets say... of my more complicated uses of the format command.

I have a NEW TOY!

See why I keep you guys around?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-13-2017 02:20 PM

Ask anybody, I am full of IT.

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-12-2017 04:13 PM

If with search:

| rex mode=sed "s/(\w{2})(?=\w{1,2})/\1:/g"

If with props:

 SEDCMD-aaa = s/(\w{2})(?=\w{1,2})/\1:/g

These work too:

| rex mode=sed "s/(\w{2})(?=\w+)/\1:/g"

SEDCMD-aaa = s/(\w{2})(?=\w+)/\1:/g
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-13-2017 01:21 PM

@jkat54 - As coded, wouldn't that be limited to even numbers of pairs? I think you want that second \w{2} to be a positive lookahead, and only add the colon after \1.

  | rex mode=sed "s/(\w{2})(?=\w{2})/\1:/g"
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-13-2017 01:57 PM

Worked on regex101.com with even or odd numbers of letters.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-13-2017 02:02 PM

Ah I was able to break it... and fix it

Your approach is better but doesn't work with 5,7,etc

This does:

(\w{2})(?=\w{1,2})

Updating my answer

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-13-2017 08:21 PM

@jkat54 - good point, but you can kill the {1,2} as redundant, since it's a zero length assertion so {1} is enough.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...