I have some log data in CEF format that is using "\\" for Windows directory paths, so they look like:
c:\\directory\\subdirectory
I've tried using sed to replace that with a single "\" character, but it's always failing. I think it's escaping the "/" character in the sed command.
How can I replace that either at search time or indexing (preferred)?
Thx.
Craig
You may want to try:
SEDCMD-replace = s/(\\\){1}\\\{1}/\1/g
It might be that the SEDCMD has the same problem as the search time based "rex" command. For doing the replacement at search time, you can definitely use:
| rex mode=sed "s/(\\\){1}\\\{1}/\1/g"
or to clean it up...
| rex mode=sed "s/(\\\){2}/\1/g"
The key seems to be that the \ character needs to be followed by another character other than a forward slash in the replacement group. The regex is working around this by capturing a slash and then we re-use that captured slash as our replacement so we can use characters that are not a backslash in the replacement.
You may want to try:
SEDCMD-replace = s/(\\\){1}\\\{1}/\1/g
It might be that the SEDCMD has the same problem as the search time based "rex" command. For doing the replacement at search time, you can definitely use:
| rex mode=sed "s/(\\\){1}\\\{1}/\1/g"
or to clean it up...
| rex mode=sed "s/(\\\){2}/\1/g"
The key seems to be that the \ character needs to be followed by another character other than a forward slash in the replacement group. The regex is working around this by capturing a slash and then we re-use that captured slash as our replacement so we can use characters that are not a backslash in the replacement.
SEDCMD-replace = s/\\\\/\\/g
though that may replace if it finds it in other places besides a file path.
thanks sowings, then if i am searching the same like
|index=main source= C:\home\filename.txt |rex field=source mode=sed "s/\/\\/g"
i got an error like
"Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
i am confused that the reason for this error is my regex. I am trying to replace backslash with double back slash. please help me
thanks
SEDCMD
is a directive in props.conf, not a search command. To emulate this in a search, use rex mode=sed <sed_expression>
as described in @Rob's answer above.
can u help me to do it in reverse .. to replace single backslash to double backslash in source after the search index=main sourcetype=type|top source | rex ""
when i am trying sedcmd , there occurs an error summarizing i dont have permission to use sedcmd. please help
thanks for your time
Nope. That doesn't work in props.conf or with rex mode=sed.
Here's the problem...
rex field=_raw mode=sed "s/\\\\/\\/g" produces:
Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace.
I get the same result with:
rex field=_raw mode=sed "s/\\\\/slash/g"
This successfully replaces the double backslash:
rex field=_raw mode=sed "s/\\\{2}/slash/g"
But any replacement text that ends with a backslash throws an error.
you can use other delimiter characters with sed; try using percent ('%') characters like this:
rex field=_raw mode=sed "s%/%%g"