Splunk Search

How do I reverse/swap characters in a string value returned from a search?

ajay_mk
Explorer

Hi,

If my search returns a string value of "ABCDEF"

1) How do I modify the search to reverse this value so it outputs "FEDCBA" ?

2) How do I swap characters from this value so it outputs "BADCFE" ? (1st 2 characters are being swapped)

Thanks!

1 Solution

woodcock
Esteemed Legend

This does just the first 2:

... | rex field=myField mode=sed "s/(.)(.)/\2\1/" | table host

Extend the example (more (.) in the first section and more \# in the second section) to reverse longer strings.

This byteswaps an entire string of any length (every pair):

... | rex field=myField mode=sed "s/(.)(.)/\2\1/g" | table host

View solution in original post

jhuysing
Loves-to-Learn Lots

This solution works for a fixed length string. Is there way of performing character reversal for variable length fields apart from have multiple regex's with different search and replacments lengths

|rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\10\9\8\7\6\5\4\3\2\1/"
| rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\9\8\7\6\5\4\3\2\1/"
| rex field=nbr mode=sed "s/(\d).(\d).(\d).(\d).(\d).(\d).(\d).(\d)/\8\7\6\5\4\3\2\1/"

0 Karma

woodcock
Esteemed Legend

Post a new question.

0 Karma

wrangler2x
Motivator

Reverse that string:

| gentimes start=-1| eval forward="ABCDEF" | eval reverse=replace(forward,"(.)(.)(.)(.)(.)(.)","\6\5\4\3\2\1")| table forward reverse

Reverse the first two characters only:

| gentimes start=-1| eval forward="ABCDEF" | eval reverse2=replace(forward,"(.)(.)","\2\1")| table forward reverse2
0 Karma

wrangler2x
Motivator

Think of | gentimes start=-1 as your search. This just allows the demonstration of this function, but any search can replace that part. And -- of course, the | eval forward="ABCDEF" is just the setup to give us a string to work with. In a real search that would be omitted, and forward could be any field with a string in it. 🙂

0 Karma

woodcock
Esteemed Legend

This does just the first 2:

... | rex field=myField mode=sed "s/(.)(.)/\2\1/" | table host

Extend the example (more (.) in the first section and more \# in the second section) to reverse longer strings.

This byteswaps an entire string of any length (every pair):

... | rex field=myField mode=sed "s/(.)(.)/\2\1/g" | table host

ajay_mk
Explorer

Hey thanks I just ran what you mentioned but its only swapping the first 2 characters.

Value to swap = 535276

Swapped value 355276

Changing the lengths doesnt seem to work?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Did you add the 'g' in the end as mentioed in the comment? Try this runanywhere sample search

| gentimes start=-1 | eval myField="535276" |  rex field=myField mode=sed "s/(.)(.)/\2\1/g"

ajay_mk
Explorer

yes the g worked thanks again.

somesoni2
SplunkTrust
SplunkTrust

I would suggest one correction to add "g" flag in the end to do it for all characters. like s/(.)(.)/\2\1/g

MuS
SplunkTrust
SplunkTrust

Sorry guys, but this is one of the sweetest regex ever on answers! 🙂

woodcock
Esteemed Legend

OK @MuS, cough up some up-vote love!

0 Karma

ajay_mk
Explorer

ha perfect that worked. thank you both!

somesoni2
SplunkTrust
SplunkTrust

Don't forget to accept the answer by clicking on the Accept hyperlink below the answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...