Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rex in sed mode to replace special chartacter

ChrisCLewis
Communicator
‎09-17-2019 03:16 AM

Good morning
I need to replace special characters with a line return command but I am having difficulty getting the rex mode=sed working correctly -

example foo fields

hr$D362$processing
long$trip

| rex field=foo mode=sed "s/(".+?$.+?")/\n/g"

Many thanks for any help you could provide

0 Karma
Reply

to4kawa
Ultra Champion
‎01-19-2020 02:54 AM 
| makeresults
| eval _raw="hr$D362$processing"
| appendpipe
    [eval _raw="long$trip"]
    | eval foo=split(_raw,"$")

Hi, folks.
Simply, use split()

0 Karma
Reply

to4kawa
Ultra Champion
‎01-19-2020 03:01 AM 
index=foobar 
| eval s1= section.";".Name.";".Code 
| eval s2=crit.";".critname 
| stats values(Number) as Number by s2 s1 
| eval s2 = split(s2,";"), s1 = split(s1,";") 
| chart values(Number) as Number over s2 by s1 useother=f usenull=f

Here is for search query.
I see the multiple values ​​are automatically expanded.
great!

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-17-2019 04:59 AM

@ChrisCLewis

Can you please try this rex command?
| rex field=foo mode=sed "s/\$/\n/g"

Sample Search:

| makeresults | eval foo="hr$D362$processing" | rex field=foo mode=sed "s/\$/\n/g"
0 Karma
Reply

ChrisCLewis
Communicator
‎09-17-2019 05:24 AM

Good afternoon,

thank you for your reply.

It is changing the $ to a space rather than a line return
showing
hr D362 processing

hoping for:
hr
D362
processing

Regards

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-17-2019 05:52 AM

It's working for me. Please check. https://imgur.com/a/q0w7ZjL

Can you please share your full search with masking confidential values?

0 Karma
Reply

ChrisCLewis
Communicator
‎09-17-2019 06:52 AM

index=foobar
|eval s1= section.";".Name.";".Code
|eval s2=crit.";".critname

|stats values(Number) as Number by s2 s1
| rex field=s2 mode=sed "s/\;/\n/g"
| rex field=s1 mode=sed "s/\;/\n/g"
|chart values(Number) over sepa2 by sepa useother=f usenull=f

Interestingly when I 'inspect' the graph it looks like there is a line break but splunk is showing it as a space in the chart

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...