Solved: Re: Replacing "\\" with SEDCMD

responsys_cm · ‎08-02-2012

I have some log data in CEF format that is using "\\" for Windows directory paths, so they look like:

c:\\directory\\subdirectory

I've tried using sed to replace that with a single "\" character, but it's always failing. I think it's escaping the "/" character in the sed command.

How can I replace that either at search time or indexing (preferred)?

Thx.

Craig

Rob · ‎10-16-2012

You may want to try:

SEDCMD-replace = s/(\\\){1}\\\{1}/\1/g

It might be that the SEDCMD has the same problem as the search time based "rex" command. For doing the replacement at search time, you can definitely use:

| rex mode=sed "s/(\\\){1}\\\{1}/\1/g"

or to clean it up...

| rex mode=sed "s/(\\\){2}/\1/g"

The key seems to be that the \ character needs to be followed by another character other than a forward slash in the replacement group. The regex is working around this by capturing a slash and then we re-use that captured slash as our replacement so we can use characters that are not a backslash in the replacement.

View solution in original post

Rob · ‎10-16-2012

You may want to try:

SEDCMD-replace = s/(\\\){1}\\\{1}/\1/g

It might be that the SEDCMD has the same problem as the search time based "rex" command. For doing the replacement at search time, you can definitely use:

| rex mode=sed "s/(\\\){1}\\\{1}/\1/g"

or to clean it up...

| rex mode=sed "s/(\\\){2}/\1/g"

The key seems to be that the \ character needs to be followed by another character other than a forward slash in the replacement group. The regex is working around this by capturing a slash and then we re-use that captured slash as our replacement so we can use characters that are not a backslash in the replacement.

gkanapathy · ‎08-02-2012

SEDCMD-replace = s/\\\\/\\/g

though that may replace if it finds it in other places besides a file path.

smolcj · ‎11-06-2012

thanks sowings, then if i am searching the same like
|index=main source= C:\home\filename.txt |rex field=source mode=sed "s/\/\\/g"
i got an error like
"Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
i am confused that the reason for this error is my regex. I am trying to replace backslash with double back slash. please help me
thanks

sowings · ‎11-06-2012

SEDCMD is a directive in props.conf, not a search command. To emulate this in a search, use rex mode=sed <sed_expression> as described in @Rob's answer above.

smolcj · ‎11-06-2012

can u help me to do it in reverse .. to replace single backslash to double backslash in source after the search index=main sourcetype=type|top source | rex ""
when i am trying sedcmd , there occurs an error summarizing i dont have permission to use sedcmd. please help
thanks for your time

responsys_cm · ‎08-03-2012

Nope. That doesn't work in props.conf or with rex mode=sed.

Here's the problem...

rex field=_raw mode=sed "s/\\\\/\\/g" produces:

Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace.

I get the same result with:

rex field=_raw mode=sed "s/\\\\/slash/g"

This successfully replaces the double backslash:

rex field=_raw mode=sed "s/\\\{2}/slash/g"

But any replacement text that ends with a backslash throws an error.

woodcock · ‎04-30-2015

you can use other delimiter characters with sed; try using percent ('%') characters like this:



rex field=_raw mode=sed "s%/%%g"

Replacing "\\" with SEDCMD

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk