It seems I cannot replace data with a backslash in it.
For instance: DOMAIN\USERNAME
I have tried all of the following:
SEDCMD-translate=s/DOMAIN\//
SEDCMD-translate=s/DOMAIN\\//
SEDCMD-translate=s/DOMAIN\\\// ( just for kicks.. nothing else works!)
SEDCMD-translate=s/DOMAIN\\\\// (works on a unix command line!)
Any suggestions?
s/\x5C{1}//g works great for this
Really!? Yes, indeedy! Let's test it.
| makeresults
| eval domainUser="theLaTiDahDomain\johndoejr"
| table domainUser
| eval User=domainUser
| rex mode=sed field=User "s/.*\x5C{1}//"
This returns johndoejr
in the User column.
| makeresults
is a new feature beginning in 6.3, I believe. If you are on an earlier release use | gentimes start=-1
instead.
Just to keep this thread up to date (because it just ended 4 hours of mental torture!), working in 6.5.2,
| rex field=User_name mode=sed "s/(\\\\)/\1\1/g"
worked for me to translate {anything & any case}\{anything} into the same with a double backslash.
Useful when building a multiselect source query listing users from hundreds of different servers.
Thanks to all the contributors on here for their efforts 🙂
I have had many battles with backslashes over the years I've been working with Splunk. Something I thought was working back in the 4.1.3 days seems to not work now. But (and I am on 6.1.5 while writing this) I have found something that works very well, though it is a bit odd looking. Use \x5C{1}
for the backslash. You can prove to yourself that this works by running the following search:
| gentimes start=-1 | eval domainUser="DOMAIN\USERNAME"
| table domainUser
| eval User=domainUser
| rex mode=sed field=User "s/DOMAIN\x5C{1}//"
Here is the output:
domainUser User
DOMAIN\USERNAME USERNAME
Ignore the line with the 5. following the rex above. Posting this adds it and I can't get rid of it. Doesn't show when I edit. Pfft.
Just a quick update to this: I've tested this in both SEDCMD in props.conf and in search using rex mode=sed and this works in both places. I think that SEDCMD is more picky, because I've found other ways of doing this in search with rex that don't work with SEDCMD. This works in both.
There is definitely something not quite right when using backslashes with the sed.
I provided a similar answer here: http://splunk-base.splunk.com/answers/54904/replacing-with-sedcmd/62199
Basically, you need to have the backslash characters be followed by a character that is not a slash and definitely not as part of the replacement. ajitsd provided a nice example by using a capture group instead of backslashes. However, you may need to escape more of the backslashes. For one backslash to match you will need to put in three backslashes as darrellgrundy mentioned. Try the following command in a search and see if that works for you:
| rex mode=sed "s/DOMAIN\\\{1}//g"
It works fine using capturing groups.
In your example, I would use:
SEDCMD-translate=s/\(DOMAIN\)\\/\1/
You can also try it out raw in the search first by executing:
your_search | rex mode=sed "s/\(DOMAIN\)\\/\1/"
I have the same problem. No number of backslashes works interactively on the search command. Results in the following error "Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string."
UPDATE: seems to be fixed in v4.2.3 ... I needed three backslashes \\ for it to work with rex mode=sed field=_raw
The correct match for a \
character in this file is \\
, so your two slashes should work, and it worked for me even with /
as the SEDCMD delimiter character. Are you sure that the rest of your regex is matching?
BAH! It did it again. When I paste my comment it is removing blackslashes. This is going to be a pain to document. Let me double up backslashes and try to get this to take it.
SEDCMD-translate=s/DOMAIN\\texthere//
This correctly replaces "DOMAIN\texthere"
SEDCMD-translate=s/DOMAIN\\//
This does not correctly replace "DOMAIN\"
That is not what I typed! BAH.
Okay, let me try and correct this.
SEDCMD-translate=s/DOMAIN\texthere//
This correctly replaces "DOMAIN\texthere"
SEDCMD-translate=s/DOMAIN\//
This does not correctly replace "DOMAIN\"
I really botched up that comment with bad backslashes. I'm sorry! I am pretty sure I pasted that correctly.
In short, if I put text after \ it seems to replace.
But ending a replacement with a backslash does not appear to work correctly.
Wait, so it sounds to me like it is matching fine? If you remove the \
and it matches, it should delete the entire match DOMAIN\
, correct? Or did you mean as soon as you remove the \
then it does match?
Curious. If I make the sedcmd looks like this:
SEDCMD-translate=s/DOMAIN\texthere//
Then "DOMAIN\texthere" is replaced.
If I leave it as
SEDCMD-translate=s/DOMAIN\//
It doesn't replace "DOMAIN\".
I believe it may be a defect.
Absolutely positive. If I replace just DOMAIN with something else, that something else shows up in the index.
As soon as I remove the \, it stops matching.
I will continue to experiment. Thanks!
You can try to use another delimiter char for example:
SEDCMD-translate=s#DOMAIN\\##
Note that you need to escape the \ for the regex to match what you want.
I seem to have mixed up the slashes - thus my answer is not really a solution here - I am not deleting just to let people know they can user other delimiters.