Hi guys how are you doing?
I'm reading this link Solved: How to use replace in search? - Splunk Community but I can't get results with what I want to do.
From a search I get a field called "user_name" with the following format "DOMAIN\\\\USER" what I want to do is to replace \\\\ with only one \ and get "DOMAIN\USER"
If I use the query that I saw i the link attached I get this error
If I add one " I get this
How can I replace \\\\ for \ ?
Regards.
Martín.
In case you are counting the proliferation of backslashes, here is a slightly less painful one:
| eval user_name = mvjoin(split(user_name, "\\\\\\\\"), "\\")
Another one using sed
| rex field=user_name mode=sed "s/\\\+/\\\/"
And finally, using replace
| eval user_name = replace(user_name, "\\\+", "\\")
Hi @danspav thanks a lot for your response.
I was able to replace DOMAIN\\\\USER for DOMAIN\USER with the regex option. 😀
Hi @Tincho ,
It can be a bit of a pain creating regexes inside quotes, because you have to escape characters for the string, and escape characters for regex - meaning you double up on escaping characters.
Here's a search that takes domain\\\\user and converts it to domain\user in a couple of different ways:
| makeresults| eval user_name="DOMAIN\\\\\\\\USER"
``` Using replace - escaping multiple times ```
| eval user_name_replace=replace(user_name, "\\\\\\\\\\\\\\\\","\\")
``` Using sed ```
| eval user_name_sed = user_name
| rex field=user_name_sed mode=sed "s/\\\\{4}/\\\\/"
``` Using rex to create a domain field, and user field, then combining them ```
| rex field=user_name "^(?<domain>[^\\\\]+)\\\\+(?<user>.+)$"
| eval user_name_regex = domain . "\\" . user
``` output the results ```
| table user_name, user_name_replace,user_name_sed, user_name_regex
That results in :
Cheers,
Daniel