Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to use modular regular expressions defined in transforms.conf, in saved field extractions?

Xandervzyl
Engager
‎10-01-2021 02:22 AM

I was trying to extract an ip address field. During a search, using

|rex "[[ipv4]]"

works fine and creates an ip field.  I then wanted to save this field extraction, so I used the field extractor to do so, edited the regular expression to [[ipv4]] and saved it, but it did not work.

I tried taking it down a level, editing the saved regular expression to 

(?<ip>[[octet]](?:\.[[octet]]){3})

which also works while using the rex command during a search, but did not work saving it in the field extractor. I took it down one final level changing it to

(?<ip>(?:2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?)(?:\.(?:2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?)){3})

which doesn't use modular regular expressions, but finally does work in both the search and the saved field extraction.

I haven't found anything in the splunk docs that say modular regular expressions can't be used in the field extractor, so I thought it would be best to check here if that was the case, or if there is maybe some other issue I can't think of.

0 Karma
Reply

PickleRick
Ultra Champion
‎10-01-2021 03:10 AM

Hmm...

https://community.splunk.com/t5/Getting-Data-In/Am-I-using-modular-regular-expressions-wrong/m-p/439...

It seems that it should work but it seems it doesn't always and it's not clear why.

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!