Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rex in sed mode to replace special chartacter

ChrisCLewis
Communicator
‎09-17-2019 03:16 AM

Good morning
I need to replace special characters with a line return command but I am having difficulty getting the rex mode=sed working correctly -

example foo fields

hr$D362$processing
long$trip

| rex field=foo mode=sed "s/(".+?$.+?")/\n/g"

Many thanks for any help you could provide

0 Karma
Reply

to4kawa
Ultra Champion
‎01-19-2020 02:54 AM 
| makeresults
| eval _raw="hr$D362$processing"
| appendpipe
    [eval _raw="long$trip"]
    | eval foo=split(_raw,"$")

Hi, folks.
Simply, use split()

0 Karma
Reply

to4kawa
Ultra Champion
‎01-19-2020 03:01 AM 
index=foobar 
| eval s1= section.";".Name.";".Code 
| eval s2=crit.";".critname 
| stats values(Number) as Number by s2 s1 
| eval s2 = split(s2,";"), s1 = split(s1,";") 
| chart values(Number) as Number over s2 by s1 useother=f usenull=f

Here is for search query.
I see the multiple values ​​are automatically expanded.
great!

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-17-2019 04:59 AM

@ChrisCLewis

Can you please try this rex command?
| rex field=foo mode=sed "s/\$/\n/g"

Sample Search:

| makeresults | eval foo="hr$D362$processing" | rex field=foo mode=sed "s/\$/\n/g"
0 Karma
Reply

ChrisCLewis
Communicator
‎09-17-2019 05:24 AM

Good afternoon,

thank you for your reply.

It is changing the $ to a space rather than a line return
showing
hr D362 processing

hoping for:
hr
D362
processing

Regards

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-17-2019 05:52 AM

It's working for me. Please check. https://imgur.com/a/q0w7ZjL

Can you please share your full search with masking confidential values?

0 Karma
Reply

ChrisCLewis
Communicator
‎09-17-2019 06:52 AM

index=foobar
|eval s1= section.";".Name.";".Code
|eval s2=crit.";".critname

|stats values(Number) as Number by s2 s1
| rex field=s2 mode=sed "s/\;/\n/g"
| rex field=s1 mode=sed "s/\;/\n/g"
|chart values(Number) over sepa2 by sepa useother=f usenull=f

Interestingly when I 'inspect' the graph it looks like there is a line break but splunk is showing it as a space in the chart

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...