Is it possible to use tokens in rex fields?

codywsj — Thu, 30 Jul 2020 14:50:37 GMT

Hi,

Is it possible to use tokens in rex fields like this?

| rex "\d{1,2}-\S{3}\s\d{2}:\d{2}:\d{2}.\d{3}\s\S{3}\s\[(?<ip2>$spec_ip$)\]\s%NICWIN-4-Security_560_Security[\S\s]+?(?<log_time2>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s\d{2}\s\d{2}:\d{2}:\d{2})[\S\s]+?\S*Object\sName:\s(?<object_name2>[\S\s]+?)New\sHandle\sID[\S\s]+?Primary\sUser\sName:\s(?<username2>[\S\s]+?)\s+"

Re: Is it possible to use tokens in rex fields?

bowesmana — Fri, 31 Jul 2020 06:08:20 GMT

I don't see why not - easy enough to test - just make a dashboard with a text input token spec_ip and see. See this

<form> <label>test_ip</label> <fieldset submitButton="false"> <input type="text" token="spec_ip" searchWhenChanged="true"> <label>IP format</label> <default>\d+\.\d+\.\d+\.\d+</default> </input> </fieldset> <row> <panel> <table> <title>Parsing IP address with $spec_ip$ format</title> <search> <query>| makeresults | eval IP=(random()%256).".".(random()%256).".".(random()%256).".".(random()%256) | rex field=IP "(?<ip2>$spec_ip$)" | eval format=$spec_ip|s$</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>

topic Re: Is it possible to use tokens in rex fields? in Dashboards & Visualizations

Is it possible to use tokens in rex fields?

Re: Is it possible to use tokens in rex fields?