Splunk Search

Replace Characters- How can I replace \\\\ for \ ?

Tincho
Engager

Hi guys how are you doing?

 

I'm reading this link Solved: How to use replace in search? - Splunk Community but I can't get results with what I want to do.

From a search I get a field called "user_name" with the following format "DOMAIN\\\\USER" what I want to do is to replace \\\\ with only one \ and get "DOMAIN\USER"

 

If I use the query that I saw i the link attached I get this error

Tincho_0-1685656301040.png

 

If I add one " I get this

Tincho_1-1685656499853.png

 

How can I replace \\\\ for \ ?

 

Regards.
Martín.

Labels (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

In case you are counting the proliferation of backslashes, here is a slightly less painful one:

| eval user_name = mvjoin(split(user_name, "\\\\\\\\"), "\\")

Another one using sed

| rex field=user_name mode=sed "s/\\\+/\\\/"

And finally, using replace

| eval user_name = replace(user_name, "\\\+", "\\")
Tags (4)
0 Karma

Tincho
Engager

Hi @danspav thanks a lot for your response.

I was able to replace DOMAIN\\\\USER for DOMAIN\USER with the regex option. 😀

0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @Tincho ,

It can be a bit of a pain creating regexes inside quotes, because you have to escape characters for the string, and escape characters for regex - meaning you double up on escaping characters.

Here's a search that takes domain\\\\user and converts it to domain\user in a couple of different ways:

| makeresults| eval user_name="DOMAIN\\\\\\\\USER"

``` Using replace - escaping multiple times ```
| eval user_name_replace=replace(user_name, "\\\\\\\\\\\\\\\\","\\")

``` Using sed ```
| eval user_name_sed = user_name
| rex field=user_name_sed mode=sed "s/\\\\{4}/\\\\/"

``` Using rex to create a domain field, and user field, then combining them ```
| rex field=user_name "^(?<domain>[^\\\\]+)\\\\+(?<user>.+)$"
| eval user_name_regex = domain . "\\" . user

``` output the results ```
| table user_name, user_name_replace,user_name_sed, user_name_regex

That results in :

danspav_1-1685688194263.png


Cheers,
Daniel

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...