What should I use to put a TAB literally in a rege...

stefan1988 · ‎05-22-2017

What should I use to put a TAB literally in a regex replacement within transforms.conf?

I've tried \t but that's not working.

I would like to replace a | with tab (ASCI 0x09)

woodcock · ‎05-22-2017

I cannot get escape codes (other than for captured field references) to work in the replace portion of sed inside of Splunk so I do not thing that this is possible without pre-processing with your own "glue" before coming into Splunk. I tried using \t and also \x09 and neither works.

malvidin · ‎07-21-2020

For me, the only backslash sequences that worked for sed replacement were the newline (\n) and back references (\1, \2, etc.).

I think I'm going to have to put the replacement into an external lookup/command to include the ability to use other characters, like \r, \x0D, \t, or \x09.

gcusello · ‎05-22-2017

Hi stefan1988,
are you sure that it's a TAB and not spaces?
Bye.
Giuseppe

stefan1988 · ‎05-22-2017

Hi,

Yes I want to place a tab (ASCII 0x09).
\t seems not working.

Regards,
Stefan

What should I use to put a TAB literally in a regex replacement within transforms.conf?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!