topic Re: Is it possible to define tags using regex? in Splunk Search

Is it possible to define tags using regex?

tgdvopab — Tue, 21 Jun 2016 08:52:10 GMT

I would like to define a tag in splunk using a regex.

Example:
host=st1231, host=1232, host=1233 --> the name of the tag should be "foo"
host=st1234, host=1235, host=1236, host=1237 -> the name of the tag should be "bar"

Is it possible to define these tags above using a regex? Or do I have to define for each host its own tag?

Re: Is it possible to define tags using regex?

tgdvopab — Tue, 21 Jun 2016 09:06:03 GMT

The regex should look like: host=st123[1-3] for "foo" and host=st123[4-7] for "bar"

Re: Is it possible to define tags using regex?

sundareshr — Tue, 21 Jun 2016 11:53:02 GMT

Don't believe tags support wildcards or regex. Alternatively you could use search macros and regex. Something like this should work

[foo]
definition = index=st123* | regex host="st123[1-3]"

[bar]
definition = index=st123* | regex host="st123[4-7]"

In your search, you could use

`foo` 

OR 

`bar`

Re: Is it possible to define tags using regex?

woodcock — Tue, 21 Jun 2016 11:53:03 GMT

The only way that you can do any wildcarding is to use * in an eventtype definition and then you create a tag with a value like this:

eventtype=<Your eventtype Name Here>`

Even so, you cannot use pipes | in your eventtype so you are cannot use the RegEx-ish commands like regex, so this is not really an answer, other than to assure you that there is no answer.

Re: Is it possible to define tags using regex?

tgdvopab — Tue, 21 Jun 2016 11:58:14 GMT

Thanks for your answer!

Would it be possible to make a list of hosts in a tag?
Example: host=(st1231 OR host=1232 OR host=1233) as tag "foo"?

Re: Is it possible to define tags using regex?

tgdvopab — Tue, 21 Jun 2016 11:58:22 GMT

Thanks for your answer!

Would it be possible to make a list of hosts in a tag?
Example: host=(st1231 OR host=1232 OR host=1233) as tag "foo"?

Re: Is it possible to define tags using regex?

woodcock — Tue, 21 Jun 2016 12:02:24 GMT

No, but

1: You can use a list in your eventtype. If you are using the GUI, when you create an eventtype with a search string, there is place to assign it a tag name, too.
2: You can create multiple tag definitions, one-by-one, recycling the same tag name, one for each host KVP.

Re: Is it possible to define tags using regex?

_jgpm_ — Thu, 05 Jan 2017 16:34:20 GMT

@woodcock, I tried creating an event type, but it wouldn't let me include search commands in the event type. I'm on 6.4.3.

Can you help me understand why this is the case?

Re: Is it possible to define tags using regex?

mfleischman_spl — Wed, 19 Jun 2019 21:16:22 GMT

Tags CAN be created with wildcards:
Settings > Tags > All unique tag objects > New Tag:
Tag name = privileged_user
Field name = user
Field value = admin

Search: tag=privileged_user (will find admin, sysadmin, adminsap, etc)

Re: Is it possible to define tags using regex?

woodcock — Thu, 20 Jun 2019 22:57:26 GMT

I have clarified my answer.

Re: Is it possible to define tags using regex?

ram148280 — Fri, 21 Jun 2019 07:38:59 GMT

You can dow this with Python also.,Ya its You can dow with this This is a known problem with regex - you can't match pairs. Matching is either greedy, in which it matches the last one it finds, or non-greedy, in which it matches the first. You can't persuade a regex to count opening and closing brackets.

I would recommend loading it into a DOM and using that. If you are trying to implement an HTML parser, I would recommend using regex to lex it, then a left-right parser to parse the output of your lexer.