topic Re: Is it possible to use an extracted field inside a regex? in Splunk Search

Is it possible to use an extracted field inside a regex?

edrivera3 — Mon, 28 Sep 2020 19:39:43 GMT

I already extracted a field (block_num) in my event, but now I would like to use it as part of a new regex. I want to do something like this:
...| rex field=_raw " Block number block_num (? < block_info>\w{1,}?)" ---- where block_num is the field I already have.

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 15:05:59 GMT

Before the w there is a back slash.

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 15:20:19 GMT

I already tried enclosing the block_num in [ ] or in $$.

Re: Is it possible to use an extracted field inside a regex?

stephanefotso — Wed, 22 Apr 2015 15:21:05 GMT

No No No !
By writing ...| rex field=_raw " Block number block_num (? < block_info>\w{1,}?)", your are telling splunk to search for a word which is after the group of words Block number block_num. Splunk will not take block_num here as a field.
So i am not sure that what you want is yet possible.

Re: Is it possible to use an extracted field inside a regex?

aweitzman — Wed, 22 Apr 2015 15:23:41 GMT

Are these things in the same event? What does an event look like?

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 15:25:58 GMT

I know the regex is wrong, I would like to know if there is a way to do it.

Re: Is it possible to use an extracted field inside a regex?

stephanefotso — Wed, 22 Apr 2015 15:35:57 GMT

No! you can only take block_num as a word inside the regex. Let me know block_num values, i think i can help you extract block_info

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 15:37:10 GMT

Yes, they are in the same event. The event is quite a long and mostly a text. The structure of the events are like:
block number 500
... info (sometimes there are errors here)
.... info
End of block number
block number 501
....info
...info
End of block number 501
First I extract the error, then the block number where the error is, and finally I want to extract the whole block. Well... that's the idea.

Re: Is it possible to use an extracted field inside a regex?

richgalloway — Wed, 22 Apr 2015 15:43:34 GMT

Try something like this:

...| rex field=_raw " Block number ".block_num." (?P<block_info>\w{1,}?)" | ...

Re: Is it possible to use an extracted field inside a regex?

aweitzman — Wed, 22 Apr 2015 15:47:46 GMT

It looks like you're doing that inside out. Why not extract all the blocks first, and then filter your results based on whether there's an error in the block or not?

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 15:54:50 GMT

It is a 3-5 digit number.

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 15:59:00 GMT

ok. I'm going to give it a try.

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 16:07:43 GMT

I extracted all blocks, but how I search for an error inside each block text.

Re: Is it possible to use an extracted field inside a regex?

aweitzman — Wed, 22 Apr 2015 16:11:51 GMT

Use whatever error-finding regex you were using before on each block.

Alternatively, you can try to extract both at once:

rex field=_raw "Block number (?<block_num>\d+)(.*)[YOUR ERROR-EXTRACTING REGEX GOES HERE](.*)End of block number"

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 16:19:15 GMT

But you are only extracting the block_num which I already have.

About the alternative about using a error-finding regex after I extracted all blocks. How can I use a regex to look inside field values?

The following doesn't work because the block info is several lines, not only an error number:
...|search block_info="ERROR"

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 16:53:20 GMT

I think these are some of the options that I am looking for:

(1) a way to use a extracted field inside a regex

(2) If I extract all blocks in the event, is there is a way to look inside the field value to find if there is an error inside the block. Please consider that the field value is a string with several lines that include the word "ERROR".

(3) Is there is a way to use regex for looking for a word and extract some lines that are before it and after including the word?

Re: Is it possible to use an extracted field inside a regex?

richgalloway — Wed, 22 Apr 2015 17:12:04 GMT

For #1, see my answer.

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Mon, 28 Sep 2020 19:39:45 GMT

I tried that but I encountered an error:
Error in 'rex' command: Encountered the following error while compiling the regex 'Block number block_num (?P<.block_info.>\w{1,}?)': Regex: syntax error in subpattern name (missing terminator)

This is my regex:
...| rex field=_raw "Block number block_num (?P<".block_info.">\w{1,}?)"

Re: Is it possible to use an extracted field inside a regex?

richgalloway — Wed, 22 Apr 2015 17:42:46 GMT

I got no errors when I used concatenation in my rex command. What version of Splunk are you using?

Re: Is it possible to use an extracted field inside a regex?

edrivera3 — Wed, 22 Apr 2015 17:44:10 GMT

Version 6.2