Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Replace Characters- How can I replace \\\\ for \ ?

Tincho
Engager
‎06-01-2023 02:56 PM

Hi guys how are you doing?

 

I'm reading this link Solved: How to use replace in search? - Splunk Community but I can't get results with what I want to do.

From a search I get a field called "user_name" with the following format "DOMAIN\\\\USER" what I want to do is to replace \\\\ with only one \ and get "DOMAIN\USER"

 

If I use the query that I saw i the link attached I get this error

Tincho_0-1685656301040.png

 

If I add one " I get this

Tincho_1-1685656499853.png

 

How can I replace \\\\ for \ ?

 

Regards.
Martín.

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-03-2023 06:17 PM

In case you are counting the proliferation of backslashes, here is a slightly less painful one:

| eval user_name = mvjoin(split(user_name, "\\\\\\\\"), "\\")

Another one using sed

| rex field=user_name mode=sed "s/\\\+/\\\/"

And finally, using replace

| eval user_name = replace(user_name, "\\\+", "\\")
Tags (4)
0 Karma
Reply

Tincho
Engager
‎06-02-2023 07:29 AM

Hi @danspav thanks a lot for your response.

I was able to replace DOMAIN\\\\USER for DOMAIN\USER with the regex option. 😀

0 Karma
Reply

danspav
SplunkTrust
SplunkTrust
‎06-01-2023 11:48 PM

Hi @Tincho ,

It can be a bit of a pain creating regexes inside quotes, because you have to escape characters for the string, and escape characters for regex - meaning you double up on escaping characters.

Here's a search that takes domain\\\\user and converts it to domain\user in a couple of different ways:

| makeresults| eval user_name="DOMAIN\\\\\\\\USER"

``` Using replace - escaping multiple times ```
| eval user_name_replace=replace(user_name, "\\\\\\\\\\\\\\\\","\\")

``` Using sed ```
| eval user_name_sed = user_name
| rex field=user_name_sed mode=sed "s/\\\\{4}/\\\\/"

``` Using rex to create a domain field, and user field, then combining them ```
| rex field=user_name "^(?<domain>[^\\\\]+)\\\\+(?<user>.+)$"
| eval user_name_regex = domain . "\\" . user

``` output the results ```
| table user_name, user_name_replace,user_name_sed, user_name_regex

That results in :

danspav_1-1685688194263.png


Cheers,
Daniel

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...