Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Replace in SPL2 not working like SPL

KeithH
Path Finder
3 weeks ago

Hi,

I am having trouble getting replace to work correctly in Ingest Processor and have this example.

In SPL I can run this search:

 

 

| makeresults 
| eval test = "AAABBBCCC" 
| eval text = "\\\"test\\\":\\\"" 
| eval output = replace(test, "BBB", text)

 

 

and I will get this output

image (4).png

But if I run this in a Ingest Processor pipeline

| eval test = "AAABBBCCC"
| eval text = "\\\"test\\\":\\\""
| eval output = replace(test, "BBB", text)

The result is:

 

 

Note the slashes before the doublequotes have gone.

Why have they gone?

How do I ensure they are retained by Ingest Processor.

This is a simplified example of what I am trying to do but this is the core of the problem I am having.

Thanks

Tags (1)
0 Karma
Reply

KeithH
Path Finder
2 weeks ago

Further Update:  Splunk fixed the bug and expect it to be released to Splunk Cloud in the next couple of weeks.

Reply

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

Splunk uses PCRE and also the search parser will handle unescaping, whereas Ingest Processor uses RE2 - although that appears to be changing. So you probably need to use 2 \\ characters, not 3 as the Splunk parser will take away one.

But validate

0 Karma
Reply

KeithH
Path Finder
3 weeks ago

Hi Bowesmana,

I tried that too but the editor wont even let me save it that way:

KeithH_0-1741839937577.png

Also note that while this simple example illustrates the problem the real data is extracted by  previous rex command so my ability to manipulate it is limited.
Thanks

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

Mmm, OK, I was going to suggest the SPL2 channel in the Splunk Slack group, but I see you already found that.

0 Karma
Reply

KeithH
Path Finder
3 weeks ago

Oh for some reason the image of the SPL2 result didnt post so here it is:
Screenshot 2025-03-13 143138.png

0 Karma
Reply

KeithH
Path Finder
3 weeks ago

UPDATE:  I pursued this via another angle and have had agreement from Splunk that this seems to be a bug and that they will put some work into it though I dont have any reference number or ETA as yet.

In the meantime I am use the rex command with mode=sed to achieve something acceptable but not as good as I would have liked.

Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top