- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can regex remove spaces inside a capture group?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using regex slot and port information. Here is an example of the syslog output:
Slot1 : OLTPort2
Is it possible in regex to remove the spaces around the :?
I would like it to look like this:
Slot1:OLTPort2
By using two captures I can use eval to combine two extracts but I would prefer to do it with regex, if possible.
| where isnotnull(S_Slot) AND isnotnull(S_Port) | eval SlotAndPort = S_Slot . ":" . S_Port
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@donemery you can use replace() evaluation function to remove spaces from your data.
| makeresults
| eval data="Slot1 : OLTPort2"
| eval dataWithoutSpace=replace(data,"\s","")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Always share as much as you can. Now that we have your RegEx, your problem is clear. You cannot fix it in a single step; it till take 2 and the 2 change depending on whether this is search-time or index-time, which again, you neglected to tell us. In either case, add a new transform to the end of the existing REPORT- or TRANSFORMS- line called StripSpaces. Then put this in your transforms.conf:
[StripSpaces]
SOURCE_KEY = <YourExistingFieldNameWhichYouDidNotShare>
REGEX = (\S+)\s*:\s*(\S+)
FORMAT = $1::":"::$2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. In the future I will provide more details to start and I will reach out to the folks that administer Splunk for us to see what is the method they will implement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that your existing RegEx looks something like this:
(?<Slot1>[^xyz]+)
Change it to this:
\s*(<Slot1>[^xyz\s]+)\s*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't get the \s* to work with my field extraction. Maybe I am doing something wrong.
Here is the full field extraction:
^[^\[\n]*\[\s+(?P[S,s]lot\d+\s+\:\s+[O,U][L,p][T,l]\D{3,8}\d+)
Here is an example of the data I am extracting from:
Apr 15 17:25:49 +00:00 HOST06-XXXX [ Slot4 : OLTPort3 : ONU7 : In service.]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@donemery you can use replace() evaluation function to remove spaces from your data.
| makeresults
| eval data="Slot1 : OLTPort2"
| eval dataWithoutSpace=replace(data,"\s","")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need rex command in sed mode. Assuming your field with both slot and port is SlotAndPort:
... your search ...
| rex field=SlotAndPort mode=sed "s/ //g"
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Rex has more details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
haha, I was overthinking. @niketnilay's answer is much better! This would be more useful if you needed to replace a pattern, not a particular character.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
