https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165571#M47055 <P>The reason that I did not give a more clear answer was because your question was unclear. Do you mean that you mean that for this:</P> <PRE><CODE> &lt;Search query&gt; | rex field={FieldWithValue} "SomeRegEx" </CODE></PRE> <P>You would like the <CODE>rex</CODE> performed on the field name that is represented by the <EM><CODE>value</CODE></EM> of the <CODE>FieldWithValue</CODE> field?</P> Wed, 12 Aug 2015 14:09:43 GMT woodcock 2015-08-12T14:09:43Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165568#M47052 <P>Hi,</P> <P>I would like to how we can pass a field as a parameter to the rex expression in Splunk.<BR /> I am using the below which is not working for some reason.</P> <PRE><CODE>&lt;Search query&gt; | rex &lt;Field1&gt; | rex "&lt;tag1&gt;?(P=Field1)&lt;/tag1&gt;&lt;tag2&gt;(?P&lt;Field2&gt;)" | table Field1,Field2 </CODE></PRE> <P>Is there any other way we can pass parameters to a rex expression?</P> Tue, 11 Aug 2015 07:11:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165568#M47052 Murali2888 2015-08-11T07:11:15Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165569#M47053 <P>I am not exactly sure what you mean but perhaps you can make use of a <CODE>macro</CODE> to paramaterize your use of <CODE>rex</CODE>:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Search/Usesearchmacros">http://docs.splunk.com/Documentation/Splunk/6.2.4/Search/Usesearchmacros</A></P> Tue, 11 Aug 2015 15:49:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165569#M47053 woodcock 2015-08-11T15:49:07Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165570#M47054 <P>Thanks for your comments woodcock.</P> <P>I tried creating a parameterised macro, but the macro is not handling the "Field Name" as a parameter.<BR /> Instead of populating the value of the field, the macro populates the Field Name itself. </P> Wed, 12 Aug 2015 05:56:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165570#M47054 Murali2888 2015-08-12T05:56:56Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165571#M47055 <P>The reason that I did not give a more clear answer was because your question was unclear. Do you mean that you mean that for this:</P> <PRE><CODE> &lt;Search query&gt; | rex field={FieldWithValue} "SomeRegEx" </CODE></PRE> <P>You would like the <CODE>rex</CODE> performed on the field name that is represented by the <EM><CODE>value</CODE></EM> of the <CODE>FieldWithValue</CODE> field?</P> Wed, 12 Aug 2015 14:09:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165571#M47055 woodcock 2015-08-12T14:09:43Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165572#M47056 <P>I'm not sure exactly what you're asking either. I've used this below to use the value of a capture group later on in the rex, where "\1" is the value from the first capture group - in this case the malware_domain field. And I have to believe there is a way to escape field values as well is needed (would need to read up on rex), but maybe not.</P> <PRE><CODE>rex "CEF.+rewrite (?&lt;malware_domain&gt;\S+).+(\1|nsdname)\.(?&lt;apt_policy&gt;[^\"]+)" </CODE></PRE> Wed, 12 Aug 2015 15:07:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-field-as-a-parameter-to-the-rex-command/m-p/165572#M47056 maciep 2015-08-12T15:07:06Z