I am trying to use regular expression to remove th...

1200125 · ‎02-21-2020

The below is the text we are capturing Filename=
&Filename=C%3A%5CUsers%5Cjbaile16%5CAppData%5CRoaming%5CDocumentum%5CViewed%5CSlip+End+3_Quote_AVNAN1900010_Kofax_LMPR_PL_2563798.pdf&Download=0&DownloadSize=144780 HTTP/1.1" 200 3 "-" "Java/1.8.0_192"

We used Regex: rex field=_raw "U(?\S{1,}.[gf])"
we are able to extract Users%5Cjbaile16%5CAppData%5CRoaming%5CDocumentum%5CViewed%5CSlip+End+3_Quote_AVNAN1900010_Kofax_LMPR_PL_2563798.pdf

but now we want to remove %5C from the extracted text and get the remaining text with a space instead

to4kawa · ‎02-21-2020

| makeresults
| eval _raw="&Filename=C%3A%5CUsers%5Cjbaile16%5CAppData%5CRoaming%5CDocumentum%5CViewed%5CSlip+End+3_Quote_AVNAN1900010_Kofax_LMPR_PL_2563798.pdf&Download=0&DownloadSize=144780 HTTP/1.1\" 200 3 \"-\" \"Java/1.8.0_192\""
| rex "Filename=(?<filepath>.*?)&"
| eval filepath=urldecode(filepath)
| eval Filename=mvindex(split(filepath,"\\"),-1)
| table filepath Filename

try urldecode
how about my REGEX?

efavreau · ‎02-21-2020

@1200125 Your rex command didn't work for me, but was close. Here's a run anywhere example, where I use the rex command and define a capture group. Then eval that capture group to replace the sequence.

| noop
| stats count
| eval _raw="Filename=&Filename=C%3A%5CUsers%5Cjbaile16%5CAppData%5CRoaming%5CDocumentum%5CViewed%5CSlip+End+3_Quote_AVNAN1900010_Kofax_LMPR_PL_2563798.pdf&Download=0&DownloadSize=144780 HTTP/1.1\" 200 3 \"-\" \"Java/1.8.0_192\""
| rex field=_raw "(?<mycapturegroup>U\S{1,}.[gf])"
| eval mycapturegroup = replace(mycapturegroup, "%5C", " ")

###

If this reply helps you, an upvote would be appreciated.

manjunathmeti · ‎02-21-2020

To replace %5C with " " use rex on Filename:

| rex field=Filename mode=sed "s/%5C/ /g"

I am trying to use regular expression to remove the keyword %5C from my extracted filed

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!