Simple rex works on REGEX101 but not in splunk.

codedtech · ‎09-19-2019

Hey so I have a list of of values, that need to be standardized. The values I'm need to transform look like this:
Pool1-dp
Pool2-dp
Pool3_MSDP
Pool4_MSDP
Pool5-dp

I need to trim the values to just have their proper pool names (Pool1). Here is the SPL
MySearch|rex mode=sed field="Field1" s/"(-dp)|(_MSDP)" but, when I run it in my instance I keep getting errors like this one.

Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace.

I've spent about 4 hours trying to figure this out and I jut cant seem to do it. I wrote the REX in regex101, and it works there with no problem there. I did a bunch of googling and I tried most of the posts here at splunk answers, any help would be very appreciated.
Disclaimer I do not have access to the server where the instance is hosted, just the instance itself.

richgalloway · ‎09-19-2019

Your rex command may have been mangled by the forum (use backtics to prevent that), but it looks like the sed command is incomplete. There needs to be three delimiters: the first two enclose the expression to find and the second two enclose the replacement expression. Try this: rex mode=sed field="Field1" "s/(-dp)|(_MSDP)//".

---
If this reply helps you, Karma would be appreciated.

Simple rex works on REGEX101 but not in splunk.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?