Solved: sed to replace a string after a match

anoopdi · ‎08-24-2020

Is there a way I can substitute a string after a regular expression match? For example, i want to replace the IP address which appears after 'Chrome/'

70.31.171.12 - admin [24/Aug/2020:14:31:44.596 +0000] "GET /en-US/splunkd/__raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+sourcetype%3Dsplunkd_ui_access+&useTypeahead=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1598275250371 HTTP/1.1" 200 5620 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" - e02845bc5c07fae3e33855fca82cc968 12ms

I am able to use 'sed' to replace one more match of IP address but do not know how to replace a specific one.

I want the event to look like this after the running sed,

70.31.171.12 - admin [24/Aug/2020:14:31:44.596 +0000] "GET /en-US/splunkd/__raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+sourcetype%3Dsplunkd_ui_access+&useTypeahead=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1598275250371 HTTP/1.1" 200 5620 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/xxx.xxx.xxx.xxx Safari/537.36" - e02845bc5c07fae3e33855fca82cc968 12ms

isoutamo · ‎08-24-2020

Hi

| rex field=_raw mode=sed "s#Chrome/(\d+\.\d+\.\d+\.\d+)#Chrome/xxxxxxx#"

Works with previous sample.

r. Ismo

View solution in original post

isoutamo · ‎08-24-2020

Hi

| rex field=_raw mode=sed "s#Chrome/(\d+\.\d+\.\d+\.\d+)#Chrome/xxxxxxx#"

Works with previous sample.

r. Ismo

anoopdi · ‎08-24-2020

Awesome!!. Thank you so much!

sed to replace a string after a match

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...