Splunk Search

replace strings

saurabhkunte
Path Finder

Hello,
I have a lookup file with data in following format

name _time
srv-a.xyz.com 2017.07.23
srv-b.wxyz.com 2017.07.23

I want to replace .xyz.com with wxyz.com

My replace query does this correctly for values which end with .xyz.com. However for values ending with .wxyz.com it adds an extra . (dot) to the result.

| eval name = replace(name,".xyz.com", ".wxyz.com")
So the final output looks like :

name _time
srv-a.wxyz.com 2017.07.23
srv-b..wxyz.com 2017.07.23

why is that ? Any help on this highly appreciated. Thanks

1 Solution

Richfez
SplunkTrust
SplunkTrust

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

View solution in original post

cmerriman
Super Champion

You can try this:

| replace "*.xyz.com" with "*.wxyz.com" in name

jaxjohnny2000
Builder

Thank you. What if we have multiple occurrences of a string?

Windows-10-Enterprise
Windows-7-Enterprise
WindowsServer-2008-R2-Enterprise

How would we replace all the "-" characters with a space?

0 Karma

Richfez
SplunkTrust
SplunkTrust

You would probably better be served by creating a new question.

In fact, I probably shouldn't answer this here, but the answer is the easy "exactly like you'd expect" in that replace doesn't stop at the first match. Here's a run-anywhere.

| makeresults 
| eval test1 = "WindowsServer-2008-R2-Enterprise"
| eval test2 = replace(test1, "-", "")

cmerriman
Super Champion

You could do |rex mode=sed field=field "s/-/ /g"

0 Karma

aebrittingham
Engager

I just used this and it did exactly what I wanted, put it at the end of my search and I didn't need to add extra stuff. Hence the point from me.

Richfez
SplunkTrust
SplunkTrust

The replace function actually is regex. From the most excellent docs on replace:

replace(X,Y,Z) - This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

The X and Z portions are just strings, so in there a period is just a period, right?
The Y is a REGEX, and regular expressions use the dot as a wildcard for "any single character".

That means in replace(name,".xyz.com", ".wxyz.com") you are replacing every occurance of <any single character>xyz<any single character>com with ".wxyz.com".

If you want to use replace with literally what you wrote, just escape the periods by putting a backslash in front of them.

| eval name = replace(name,"\.xyz\.com", ".wxyz.com")

Here's a run-anywhere with it fixed. To watch it not work right, just remove the backslashes!

| makeresults 
| eval src=".wxyz.com"
| eval name = replace(src,"\.xyz\.com", ".wxyz.com")

Happy Splunking!
-Rich

unitedmarsupial
Path Finder

Thanks! It really is a full regular-expression substitution (using "extended" syntax) -- with capturing groups too. You can do things like replace(Field, ".* something ([A-Za-z]+) .*", "\1"). Character-classes (like [[:alnum:]]) do not seem to work, but that's less important.

0 Karma

saurabhkunte
Path Finder

Thank you Rich ! I overlooked the wildcard for any single character.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...