Is it possible to use modular regular expressions ...

Xandervzyl · ‎10-01-2021

I was trying to extract an ip address field. During a search, using

|rex "[[ipv4]]"

works fine and creates an ip field. I then wanted to save this field extraction, so I used the field extractor to do so, edited the regular expression to [[ipv4]] and saved it, but it did not work.

I tried taking it down a level, editing the saved regular expression to

(?<ip>[[octet]](?:\.[[octet]]){3})

which also works while using the rex command during a search, but did not work saving it in the field extractor. I took it down one final level changing it to

(?<ip>(?:2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?)(?:\.(?:2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?)){3})

which doesn't use modular regular expressions, but finally does work in both the search and the saved field extraction.

I haven't found anything in the splunk docs that say modular regular expressions can't be used in the field extractor, so I thought it would be best to check here if that was the case, or if there is maybe some other issue I can't think of.

PickleRick · ‎10-01-2021

Hmm...

https://community.splunk.com/t5/Getting-Data-In/Am-I-using-modular-regular-expressions-wrong/m-p/439...

It seems that it should work but it seems it doesn't always and it's not clear why.

Is it possible to use modular regular expressions defined in transforms.conf, in saved field extractions?

field extraction

modular input

transforms.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!