Re: Replace A pattern Splunk

baranova · ‎06-12-2014

Hello Guys ,

I have a field Month that have values like this

1-2013
10-2014
9-2014

i would like to get 0X-YYYY if month <10

so 1-2013 becomes 01-2013
10-2014 stays 10-2014
9-2014 becomes 09-2014

I've tried rex mode=sed field="Month" "s/(^[0-9]-.*)/0\1/" (it works fine on linux but not on Splunk ..)

Could you help me ?

Thanks !

grijhwani · ‎06-12-2014

I'm not familiar with sed mode, but have you tried escaping the square brackets with a backslash. Whenever a regex fails to match the expected results my first thought is always escaping special characters. Some regex modes assume special meaning unless expressly suppressed whilst others are the reverse, and just for fun some assume special meaning for one subset whilst not for others. It can be mind-bendingly confusing.

HiroshiSatoh · ‎06-12-2014

about using eval?

･･･|eval Month=if(len(Month)==6,"0"+Month,Month)

Replace A pattern Splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation