Hi all, I have tried everything...
SEDCMD-replacespaces = s/\s/_/g
SEDCMD-replacespaces = s/ /_/g
I tried something like s/\s/lol/g and this did not work also, the problem is likely with identifying the single space.
What I would like to do is perform a find replace for spaces and replace with underscores, as the KV pairs are not being picked up correctly when a space is encountered, for example I have the code in (that works) that performs : SEDCMD-replacecolons = s/\s:\s/=/g s/:\s/=/g s/:\n/=/g t hat puts the equals signs in correctly, I just want to re-go over it and replace spaces with underscores.
We aren't able to change the code that writes the logs, in case anyone suggests that.
Can anyone please explain why sedcmd will not work with a single space as either a regex identifier or a raw character?
I don't see an issue with the SEDCMD command. Where are you placing this props.conf? This should go on Indexer/Heavy Forwarder and will only do the replacement for new events (old events will not change).
how about \s+ or putting the sedcmd in quotes?
Are there spaces when the sedcmd runs?
raw = THERE ARE SPACES
SEDCMD-AAA = s/THERE\sARE\sSPACES/TEHREARENTSPACES/g
SEDCMD-BBB = s/\s//g
Hi, yes everything is working otherwise, doing this on heavy forwarder.
I'm looking at other options now, going to use regex capture groups and just try to scrape what I can.
My testimony here is that SED in splunk does not work identically to SED in linux. \s can not be found and replaced with anything in splunk. When reading up on SED in general, my command should work fine.
This may of course be a collision between transforms.conf etc... Or it could just be that there is some method required.
+1 to @jkat54 's answer.
I created a script that writes
"$Date T O D A Y I S $DAY" and configured the monitored input.
[source::/opt/splunk/bin/scripts/test.txt] SEDCMD-replacespaces = s/()/^/g
Bounced splunkd and here's the output in search
^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^M^O^N^D^A^Y^ ^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^T^U^E^S^D^A^Y^ ^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^W^E^D^N^E^S^D^A^Y^ ^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^T^H^U^R^S^D^A^Y^ ^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^F^R^I^D^A^Y^ ^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^S^A^T^U^R^D^A^Y^ ^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^S^U^N^D^A^Y
I ran out of suggestions as all the proposed formats work for me.
Hope this helps!
I just tried the following from search, which is pretty much a mimic in props without the """
|gentimes start=-1|eval Space="THIS IS A TEST"|rex mode=sed field=Space "s/( )/^/g" and the output is THIS^^IS^^^A^^^TEST
One last try may be?