Getting Data In

SEDCMD - special requirement for backslash?

jgauthier
Contributor

It seems I cannot replace data with a backslash in it.

For instance: DOMAIN\USERNAME

I have tried all of the following:

SEDCMD-translate=s/DOMAIN\//
SEDCMD-translate=s/DOMAIN\\//
SEDCMD-translate=s/DOMAIN\\\//   ( just for kicks.. nothing else works!)
SEDCMD-translate=s/DOMAIN\\\\//  (works on a unix command line!)

Any suggestions?

Tags (1)

wrangler2x
Motivator

s/\x5C{1}//g works great for this

Really!? Yes, indeedy! Let's test it.

| makeresults
| eval domainUser="theLaTiDahDomain\johndoejr"
| table domainUser
| eval User=domainUser
| rex mode=sed field=User "s/.*\x5C{1}//"

This returns johndoejr in the User column.

| makeresults is a new feature beginning in 6.3, I believe. If you are on an earlier release use | gentimes start=-1 instead.

0 Karma

StorageMatt
New Member

Just to keep this thread up to date (because it just ended 4 hours of mental torture!), working in 6.5.2,

| rex field=User_name mode=sed "s/(\\\\)/\1\1/g" 

worked for me to translate {anything & any case}\{anything} into the same with a double backslash.

Useful when building a multiselect source query listing users from hundreds of different servers.
Thanks to all the contributors on here for their efforts 🙂

0 Karma

wrangler2x
Motivator

I have had many battles with backslashes over the years I've been working with Splunk. Something I thought was working back in the 4.1.3 days seems to not work now. But (and I am on 6.1.5 while writing this) I have found something that works very well, though it is a bit odd looking. Use \x5C{1} for the backslash. You can prove to yourself that this works by running the following search:

| gentimes start=-1 | eval domainUser="DOMAIN\USERNAME"
| table domainUser
| eval User=domainUser
| rex mode=sed field=User "s/DOMAIN\x5C{1}//"

Here is the output:

domainUser User
DOMAIN\USERNAME USERNAME

Ignore the line with the 5. following the rex above. Posting this adds it and I can't get rid of it. Doesn't show when I edit. Pfft.

0 Karma

wrangler2x
Motivator

Just a quick update to this: I've tested this in both SEDCMD in props.conf and in search using rex mode=sed and this works in both places. I think that SEDCMD is more picky, because I've found other ways of doing this in search with rex that don't work with SEDCMD. This works in both.

0 Karma

Rob
Splunk Employee
Splunk Employee

There is definitely something not quite right when using backslashes with the sed.

I provided a similar answer here: http://splunk-base.splunk.com/answers/54904/replacing-with-sedcmd/62199

Basically, you need to have the backslash characters be followed by a character that is not a slash and definitely not as part of the replacement. ajitsd provided a nice example by using a capture group instead of backslashes. However, you may need to escape more of the backslashes. For one backslash to match you will need to put in three backslashes as darrellgrundy mentioned. Try the following command in a search and see if that works for you:

| rex mode=sed "s/DOMAIN\\\{1}//g"
0 Karma

ajitsd
Explorer

It works fine using capturing groups.

In your example, I would use:

SEDCMD-translate=s/\(DOMAIN\)\\/\1/

You can also try it out raw in the search first by executing:

 your_search | rex mode=sed "s/\(DOMAIN\)\\/\1/"
0 Karma

darrellgrundy
Engager

I have the same problem. No number of backslashes works interactively on the search command. Results in the following error "Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string."

UPDATE: seems to be fixed in v4.2.3 ... I needed three backslashes \\ for it to work with rex mode=sed field=_raw

gkanapathy
Splunk Employee
Splunk Employee

The correct match for a \ character in this file is \\, so your two slashes should work, and it worked for me even with / as the SEDCMD delimiter character. Are you sure that the rest of your regex is matching?

0 Karma

jgauthier
Contributor

BAH! It did it again. When I paste my comment it is removing blackslashes. This is going to be a pain to document. Let me double up backslashes and try to get this to take it.

SEDCMD-translate=s/DOMAIN\\texthere//

This correctly replaces "DOMAIN\texthere"

SEDCMD-translate=s/DOMAIN\\//

This does not correctly replace "DOMAIN\"

0 Karma

jgauthier
Contributor

That is not what I typed! BAH.

Okay, let me try and correct this.

SEDCMD-translate=s/DOMAIN\texthere//
This correctly replaces "DOMAIN\texthere"

SEDCMD-translate=s/DOMAIN\//
This does not correctly replace "DOMAIN\"

I really botched up that comment with bad backslashes. I'm sorry! I am pretty sure I pasted that correctly.

In short, if I put text after \ it seems to replace.
But ending a replacement with a backslash does not appear to work correctly.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Wait, so it sounds to me like it is matching fine? If you remove the \ and it matches, it should delete the entire match DOMAIN\, correct? Or did you mean as soon as you remove the \ then it does match?

0 Karma

jgauthier
Contributor

Curious. If I make the sedcmd looks like this:

SEDCMD-translate=s/DOMAIN\texthere//

Then "DOMAIN\texthere" is replaced.

If I leave it as
SEDCMD-translate=s/DOMAIN\//

It doesn't replace "DOMAIN\".
I believe it may be a defect.

0 Karma

jgauthier
Contributor

Absolutely positive. If I replace just DOMAIN with something else, that something else shows up in the index.

As soon as I remove the \, it stops matching.

I will continue to experiment. Thanks!

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

You can try to use another delimiter char for example:

SEDCMD-translate=s#DOMAIN\\##

Note that you need to escape the \ for the regex to match what you want.

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

I seem to have mixed up the slashes - thus my answer is not really a solution here - I am not deleting just to let people know they can user other delimiters.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...