- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use "rex" instead of "replace" to searc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was using REPLACE and that works fine until I found out that I cannot search for a string with spaces. For instance, this works great:
index=main sourcetype=access_combined | eval os=useragent
| replace Windows with Windows, Macintosh with Apple, Linux with Linux in os | top limit=3 useother=t os
but this won't work because now I am searching for a string with a space inside it:
source="file001.csv" host="my host" index="index001" sourcetype="csv" Advertiser!=DTV*
| eval sitesection='Site Section'
| replace Android Phone with AndroidPhone, Android Tablet with AndroidTablet in sitesection
| top limit=5 useother=t sitesection
Any ideas how to do this using rex? Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this. Match check for regular expressions, so you can basically put any content that you want to match.
Updated
source="file001.csv" host="my host" index="index001" sourcetype="csv" Advertiser!=DTV*
| eval sitesection='Site Section'
| eval sitesection=case(match(sitesection,"Android.*Phone"),"AndroidPhone", match(sitesection,"Android.*Tablet"),"AndroidTablet",1=1,sitesection)
| top limit=5 useother=t sitesection
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use replace in two ways and both of them should work as far as String with space should be placed within double quotes.
<your base search> | replace "Android Phone" with AndroidPhone, "Android Tablet" with AndroidTablet in sitesection | top limit=5 useother=t sitesection
You can also use replace recursively with eval:
<your base search> | eval sitesection=replace(replace (sitesection,"Android Phone","AndroidPhone"),"Android Tablet","AndroidTablet")| top limit=5 useother=t sitesection
Using Rex to remove spaces within field.
<your base search> | rex mode=sed field=sitesection "s/ //g"|
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this. Match check for regular expressions, so you can basically put any content that you want to match.
Updated
source="file001.csv" host="my host" index="index001" sourcetype="csv" Advertiser!=DTV*
| eval sitesection='Site Section'
| eval sitesection=case(match(sitesection,"Android.*Phone"),"AndroidPhone", match(sitesection,"Android.*Tablet"),"AndroidTablet",1=1,sitesection)
| top limit=5 useother=t sitesection
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you mean something like this didn't work? (first line is just to generate sample data)
| gentimes start=-1 | eval sitesection="this is Android Phone here" | table sitesection
| eval sitesection=case(match(sitesection,"Android Phone"),"AndroidPhone", match(sitesection,"Android Tablet"),"AndroidTablet",1=1,sitesection)
| top limit=5 useother=t sitesection
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
actually the search for a string with a space did not work in this case. I will just use REPLACE with an asterisk in it and it will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is exactly what I was looking for! Thank you!
ps: my REPLACE method eventually worked too. I tried to post my solution but this site wouldnt let me post more than 2 posts a day....bummer
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FWIW, this works in 6.5.1
| makeresults | eval sitesection="Android Phone" | replace "Android Phone" with AndroidPhone in sitesection | table _time sitesection
To the same using rex:
| makeresults | eval sitesection="Android Phone" | rex field=sitesection mode=sed "s/Android Phone/AndroidPhone/" | table _time sitesection
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it didnt work, it says that makeresults must be the first command of a search so I moved it to the top but no luck. Also I need to add other string searches in the same query and the behaviour needs to be like the one in REPLACE, that is if I have the following string: "Testing Android Phone Watch"
I want to look for "Android Phone" and replace the entire string above with "Android" like this:
replace /Android Phone/ with Android
| makeresults
| eval sitesection='Site Section'
| eval sitesection="Android Phone" | rex field=sitesection mode=sed "s/Android Phone/AndroidPhone/"
| eval sitesection="iPhone" | rex field=sitesection mode=sed "s/iPhone testing/iPhone/"
| table _time sitesection
PS: removing makeresults seems to replace the string....testing it now
Thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The makeresult command Rich used was to just generate placeholder to test the rex/replace command. You should replace | makeresults | eval sitesection="Android Phone" with your search.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
