Is it possible to use modular regular expressions ...

Xandervzyl · ‎10-01-2021

I was trying to extract an ip address field. During a search, using

|rex "[[ipv4]]"

works fine and creates an ip field. I then wanted to save this field extraction, so I used the field extractor to do so, edited the regular expression to [[ipv4]] and saved it, but it did not work.

I tried taking it down a level, editing the saved regular expression to

(?<ip>[[octet]](?:\.[[octet]]){3})

which also works while using the rex command during a search, but did not work saving it in the field extractor. I took it down one final level changing it to

(?<ip>(?:2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?)(?:\.(?:2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?)){3})

which doesn't use modular regular expressions, but finally does work in both the search and the saved field extraction.

I haven't found anything in the splunk docs that say modular regular expressions can't be used in the field extractor, so I thought it would be best to check here if that was the case, or if there is maybe some other issue I can't think of.

PickleRick · ‎10-01-2021

Hmm...

https://community.splunk.com/t5/Getting-Data-In/Am-I-using-modular-regular-expressions-wrong/m-p/439...

It seems that it should work but it seems it doesn't always and it's not clear why.

Is it possible to use modular regular expressions defined in transforms.conf, in saved field extractions?

field extraction

modular input

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation