Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Backreferences in Fieldnames of rex

SaltyHash123
Explorer
‎09-01-2021 08:27 AM

Hey There,

i have n Systems.

I would like to apply a rex query, where each fieldname contains the system ID which i have to extract from the logs too.

Example:

 

... | rex field=_raw "System(\d+)\sFailure\sRate\s(?<system_\1_failurerate>\d*)"

 

Unfortunately backreferencing for field name seems not to be supported.

Has anyone an idea? It needs to be added in a TA afterwards, hence eval etc. are not applicable 

Thanks 🙂

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2021 02:28 AM

How about modifying the text into xml and extracting the fields that way

| makeresults
| eval _raw="SystemR1 Failure Rate 17
System2 Failure Rate 3"
| rex mode=sed "s/(?<system>System.+\sFailure\sRate) (?<rate>\d+)/<\1>\2<\/\1>/g s/\s+/_/g"
| spath

View solution in original post

Reply
Solved! Jump to solution

SaltyHash123
Explorer
‎09-07-2021 12:44 AM

It works but i forgot to mention, that each log can have multiple matches. This solution will only find the first match in the logs

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2021 12:47 AM

Perhaps if you could share an anonymised example log entry or two - please use code block </> to share it

0 Karma
Reply
Solved! Jump to solution

SaltyHash123
Explorer
‎09-07-2021 12:56 AM

 

 

 

SystemR1 Failure Rate 17
System2 Failure Rate 3

 

 

 

I held the whole example abstract as i can't even share anonymized data 😕 

making a rex like the following one will match the first row with system R1 but ignore system 2

 

 

 

| rex field=_raw "System(?<id>R?\d)\sFailure\sRate\s(?<rate>\d+)
| eval system_{id}_failure = rate

 

 

 

using multivalues is also not possible, as this will be used as a transform in a globally available TA

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2021 02:28 AM

How about modifying the text into xml and extracting the fields that way

| makeresults
| eval _raw="SystemR1 Failure Rate 17
System2 Failure Rate 3"
| rex mode=sed "s/(?<system>System.+\sFailure\sRate) (?<rate>\d+)/<\1>\2<\/\1>/g s/\s+/_/g"
| spath
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2021 01:55 PM 
| rex field=_raw "System(?<number>\d+)\sFailure\sRate\s(?<system_failurerate>\d*)"
| eval system_{number}_failurerate=system_failurerate
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...