- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Text function replace and "\"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello folks,
I am experiencing problems to use replace to change a field value like "qwerty\foo" to "qwerty\foo".
I am testing it with this query
| makeresults
| eval user="qwerty\foo"
| eval ruser=replace(user,"\\","\\")
In this case I have this error
Error in 'eval' command: Regex: \ at end of pattern
The same for:
| eval ruser=replace(user,"\","\\")
Using | eval ruser=replace(user,"\{1}","anything") , It does not show an error but nothing changes. The same for + or *.
Using | eval ruser=replace(user,"\\","a") shows the next error, and of course If use another " nothing will change.
Unbalanced quotes.
With | eval ruser=replace(user,"(.)\(.)","\1\\\2") no error but nothing changes and | eval ruser=replace(user,"(.)\(.)","\1\\\2") shows the next error:
Error in 'eval' command: Regex: unmatched closing parenthesis
Just in case tested | eval ruser=replace(user,"/\","/\/\") , error
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\/\")'.
The only thing worked for reading \ was this regex:
| eval ruser=replace(user,"(.)\(.)","\1(\)(\)\2")
But the output I was unable to output a double \
Because I am unable to rex it a temporary solution was this.
| makeresults
| eval user="qwerty\foo"
| eval tuser=replace(user,"(.*)\\\(.*)","\1?\2")
| rex field=tuser "(?<u1>[^\?]+)\?(?<u2>[^\?]+)"
| eval ruser=u1+"\\\\"+u2
¿Someone know the way to use replace in this case to make things easy? Thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| makeresults
| eval user="qwerty\foo"
| eval ruser=replace(user,"\\\\","\\\\\\\\")
In SPL, the escape has to be escaped so everything doubles. If you want to find a backlash, you would normally look for \. But in SPL you have to escape your escape: \ and then escape the backslash you are trying to find with another \.
https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/SPLandregularexpressions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| makeresults
| eval user="qwerty\foo"
| eval ruser=replace(user,"\\\\","\\\\\\\\")
In SPL, the escape has to be escaped so everything doubles. If you want to find a backlash, you would normally look for \. But in SPL you have to escape your escape: \ and then escape the backslash you are trying to find with another \.
https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/SPLandregularexpressions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So many banelings!!err.. I mean, \\\\\ 🙂
Works as intended, I did not understand the double scape so I've used 3 \ instead of 4 \ 🙂
Thanks for the answer.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
