I'm performing a search using advanced xml that returns a key/value pair (among other things).
I use the Filename key to perform a few searches, e.g. $Filename$ in a child module. Following that I need to slightly change the name and continue a new search. The name requires the addition of a few numbers and a change of the extension.
So I've been trying to work out the best/easiest way to change the name. I've attempted some regex ("rex" and "rex mode=sed") and am failing dismally, purely due to my inability to grasp the regex syntax I think). I also had a brief look at eval replace option, but struggled to understand its operation (as shown here : http://splunk-base.splunk.com/answers/6424/replace-parts-of-a-string).
If anyone can help with this it would be much appreciated. Also if someone does provide a regex answer, could you please explain how it does what it does, or point me to a page so I can reverse engineer the regex syntax to understand how it does what it does?
Thank you in advance..
Unsure of how to post code in comment, so I'm asking in answer.
Does it have to be in a regex or can you do this replacement in a search? Ex:
your search | eval newfilename=$filename$ | replace *.jpg with *-456.bmp in newfilename
Ah. Sorry. Search newName will literally search for the term newName whereas you want to search for its value. I am unsure how to extract the value from newName to pipe into a new search.
| search newName
and the search found nothing. I tried a :-
| table newName
and it displayed the correct name it should be searching for. Is there any reason why the search isn't working with the new eval/replace field name (using the same name in a standard Splunk search worked fine)?
I was illustrating the replace function. Your search is stating you want to see everything in _internal. You'll want to add this to the end of the search:
| search whatyourelookingfor=newName
if I am understanding what you are trying to do correctly.
Thanks for the suggestion, it looks like it should work, though I can't get it to work :(. I added the eval and replace to a few searches but found they made no difference to the search. The search just returned what was set before the eval. What am I missing? Here is the last test I did:-
index=_internal | eval newName=$series$ | replace *web_access.log with *metrics.log in newName
It just returns everything filtered by "index=_internal", which is pretty much everything.
Thanks for the quick reply.
someName - will always be the same (static).
123 - will be consistent across the name change, but each someName file will have a new/different number e.g. 124.
It will always be a change from .jpg to 456.bmp (456 being consistent).
So I was trying to do something like:-
someName123.jpg to someName123-456.bmp
regex to replace .jpg (everything from the "." onward and inclusive or 4 characters back from the end of the string) with "-456.bmp". Which sounds simple, but I couldn't for the life of me work out the regex to do it 😞
I was about to write an answer, but it would help if you could specify exactly how you want things to be transformed. Which parts of this are static and which are dynamic? Is "someName" always the same or not? Is there a rule to the numbers you want to add after the dash you're inserting in the filename? Should the extension always be changed from .jpg to .bmp?