Splunk Search

Using regex to replace letters in a search.

kisa
Explorer

Hi,

I'm performing a search using advanced xml that returns a key/value pair (among other things).

E.g. Filename=someName123.jpg

I use the Filename key to perform a few searches, e.g. $Filename$ in a child module. Following that I need to slightly change the name and continue a new search. The name requires the addition of a few numbers and a change of the extension.

E.g. someName123-456.bmp

So I've been trying to work out the best/easiest way to change the name. I've attempted some regex ("rex" and "rex mode=sed") and am failing dismally, purely due to my inability to grasp the regex syntax I think). I also had a brief look at eval replace option, but struggled to understand its operation (as shown here : http://splunk-base.splunk.com/answers/6424/replace-parts-of-a-string).

If anyone can help with this it would be much appreciated. Also if someone does provide a regex answer, could you please explain how it does what it does, or point me to a page so I can reverse engineer the regex syntax to understand how it does what it does?

Thank you in advance..

Tags (2)
0 Karma

kisa
Explorer

Sorry, after some clarification I also found out that the value before the .bmp (i.e. 456) is not a constant.

0 Karma

antlefebvre
Communicator

Unsure of how to post code in comment, so I'm asking in answer.

Does it have to be in a regex or can you do this replacement in a search? Ex:

your search | eval newfilename=$filename$ | replace *.jpg with *-456.bmp in newfilename
0 Karma

kisa
Explorer

No worries, thanks for your help so far. I'll see if I can finish it off 🙂

0 Karma

antlefebvre
Communicator

Ah. Sorry. Search newName will literally search for the term newName whereas you want to search for its value. I am unsure how to extract the value from newName to pipe into a new search.

0 Karma

kisa
Explorer

Thanks again.

I tried:-

| search newName

and the search found nothing. I tried a :-

| table newName

and it displayed the correct name it should be searching for. Is there any reason why the search isn't working with the new eval/replace field name (using the same name in a standard Splunk search worked fine)?

0 Karma

antlefebvre
Communicator

Or just
| search newName

0 Karma

antlefebvre
Communicator

I was illustrating the replace function. Your search is stating you want to see everything in _internal. You'll want to add this to the end of the search:
| search whatyourelookingfor=newName

if I am understanding what you are trying to do correctly.

0 Karma

kisa
Explorer

Thanks for the suggestion, it looks like it should work, though I can't get it to work :(. I added the eval and replace to a few searches but found they made no difference to the search. The search just returned what was set before the eval. What am I missing? Here is the last test I did:-

index=_internal | eval newName=$series$ | replace *web_access.log with *metrics.log in newName

It just returns everything filtered by "index=_internal", which is pretty much everything.

0 Karma

kisa
Explorer

Thanks for the quick reply.

someName - will always be the same (static).
123 - will be consistent across the name change, but each someName file will have a new/different number e.g. 124.
It will always be a change from .jpg to 456.bmp (456 being consistent).

So I was trying to do something like:-

someName123.jpg to someName123-456.bmp

regex to replace .jpg (everything from the "." onward and inclusive or 4 characters back from the end of the string) with "-456.bmp". Which sounds simple, but I couldn't for the life of me work out the regex to do it 😞

0 Karma

Ayn
Legend

I was about to write an answer, but it would help if you could specify exactly how you want things to be transformed. Which parts of this are static and which are dynamic? Is "someName" always the same or not? Is there a rule to the numbers you want to add after the dash you're inserting in the filename? Should the extension always be changed from .jpg to .bmp?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...