Splunk Search

Regex to insert ":" after every second character

coenvandijk
Observer

Hello

I have a string of all uppercase letters (no digits) I need a regex to insert a ":" after every second character FAGHIJGN becomes FA:GH:IJ:GN How can I do this with a regex?

Thanks in advance,
Coen

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

If with search:

| rex mode=sed "s/(\w{2})(?=\w{1,2})/\1:/g"

If with props:

 SEDCMD-aaa = s/(\w{2})(?=\w{1,2})/\1:/g

These work too:

| rex mode=sed "s/(\w{2})(?=\w+)/\1:/g"

SEDCMD-aaa = s/(\w{2})(?=\w+)/\1:/g

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex field=YourFieldNameHere mode=sed "s/(.{2})/\1:/g s/:$//"

DalJeanis
Legend

@woodcock - Holy crud, sed mode allows multiple replacements in a single call?

That would simplify the ... presentation, lets say... of my more complicated uses of the format command.

I have a NEW TOY!

See why I keep you guys around?

0 Karma

woodcock
Esteemed Legend

Ask anybody, I am full of IT.

jkat54
SplunkTrust
SplunkTrust

If with search:

| rex mode=sed "s/(\w{2})(?=\w{1,2})/\1:/g"

If with props:

 SEDCMD-aaa = s/(\w{2})(?=\w{1,2})/\1:/g

These work too:

| rex mode=sed "s/(\w{2})(?=\w+)/\1:/g"

SEDCMD-aaa = s/(\w{2})(?=\w+)/\1:/g
0 Karma

DalJeanis
Legend

@jkat54 - As coded, wouldn't that be limited to even numbers of pairs? I think you want that second \w{2} to be a positive lookahead, and only add the colon after \1.

  | rex mode=sed "s/(\w{2})(?=\w{2})/\1:/g"

jkat54
SplunkTrust
SplunkTrust

Worked on regex101.com with even or odd numbers of letters.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Ah I was able to break it... and fix it

Your approach is better but doesn't work with 5,7,etc

This does:

(\w{2})(?=\w{1,2})

Updating my answer

0 Karma

DalJeanis
Legend

@jkat54 - good point, but you can kill the {1,2} as redundant, since it's a zero length assertion so {1} is enough.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...