topic Re: how to dynamically change rex pattern in Splunk Search

how to dynamically change rex pattern

vikasverma — Tue, 15 Dec 2020 16:46:10 GMT

Hello All,

I hope you all are doing well.

I have a situation wherein i have to pass current day value (Sun, Mon, Tue etc) in regex dynamically to capture a value associated which i have in lookup for that day.

I have a lookup, maintenance.csv with below fields.

host; maintenance_days

host1; Sun=1, Mon=2, Tue=3 and so on

What i want is, depending on the day on which my search is ran, it should fetch value the corresponding value of the day. For example, if my search runs on Mon, it should return 2, if it runs on Tue, it should return 3 etc.

I thought i can do this by calculating the day on the search time and passing this as variable in my regex and extracting the value for the day (1, 2, 3 etc) by using fields in rex command but its not working.

Search:

| inputlookup "maintenance.csv"
| eval date_wday=strftime(strptime(now(),"%d/%m/%Y"),"%a")
| rex field=maintenance_days "date_wday\=(?P<mday>[^,])"

What i need is, if above search is run on "Mon", then regex in search becomes, "| rex field=maintenance_days "Mon\=(?P<mday>[^,])"". If it runs on Wednesday, then it becomes "| rex field=maintenance_days "Wed\=(?P<mday>[^,])"" etc.

I have tried $date_way$ instead of date_wday but it didnt worked. I have tried putting "| rex field=maintenance_days "date_wday\=(?P<mday>[^,])"" inside a macro and passing "date_wday" as argument, but it again took it as a string instead of field value associated with it.

I did had some sucess in passing field value via map command but i am just wondering if there is any nicer way of doing this.

Re: how to dynamically change rex pattern

richgalloway — Tue, 15 Dec 2020 17:57:49 GMT

The $ syntax only works with tokens and the map command.

Try this

| inputlookup "maintenance.csv" | eval date_wday=strftime(strptime(now(),"%d/%m/%Y"),"%a") | rex field=maintenance_days date_wday."\=(?P<mday>[^,])"

Re: how to dynamically change rex pattern

bowesmana — Tue, 15 Dec 2020 22:26:04 GMT

@vikasverma

From your example, is it true that Sun=1 always and Mon=2 always and so on.

If so, then

| eval date_wday=tonumber(strftime(now(),"%w"))+1

If not, and the numbers are not consistent, then why do you not have your csv with

host;Sun;Mon;Tue;Wed;Thu;Fri;Sat host1;1,2,3,4,5,6,7

then you just lookup your day, but I'm not sure if that's what you're after.

An alternative is to do the logic from this search

| makeresults | eval row="host1; Sun=1, Mon=2, Tue=3, Wed=4, Thu=5, Fri=6, Sat=7" | rex field=row max_match=0 "(?<Day>\w{3})=(?<xday>\d+)" | eval today=strftime(now(), "%a") | eval mday=mvindex(xday, mvfind(Day, today))

where you are rexing out ALL the day name/value pairs into two multivalue fields, then finding the current day and using that as the offset to the mday values held above in the xday field.

Re: how to dynamically change rex pattern

vikasverma — Wed, 16 Dec 2020 09:21:50 GMT

@bowesmana, thanks for this. It worked brilliantly.. i will accept this as answer for this question. BUt again, just out of curiosity, is there any way to change rex pattern dynamically? i mean the way i was trying (obviously i ws doing something wrong)?

Re: how to dynamically change rex pattern

bowesmana — Thu, 17 Dec 2020 03:21:09 GMT

@vikasverma

passing variable things to other things is not easy, other than in the field pipeline, but as @richgalloway pointed out, the map command can do this, but there is another technique where you can do this sort of thing.

| makeresults | eval row="host1; Sun=1, Mon=2, Tue=3, Wed=4, Thu=5, Fri=6, Sat=7" | eval today=strftime(now(), "%a") | foreach today [ rex field=row "<<FIELD>>=(?<mday_rex>\d+)" ] | foreach today [ eval mday_replace=replace(row,".*".<<FIELD>>."=(\d+).*", "\1") ]

In the above, the foreach statement is used to pass the field value to the subsearch, however, the REX statement does NOT work and mday_rex is null, I don't know why, but the second form, where the replace statement is used, DOES work and the mday_replace field is set correctly. That's just capturing today's day=X value using regex and removing all other text.