Splunk Search

Backreferences in Fieldnames of rex

SaltyHash123
Explorer

Hey There,

i have n Systems.

I would like to apply a rex query, where each fieldname contains the system ID which i have to extract from the logs too.

Example:

 

... | rex field=_raw "System(\d+)\sFailure\sRate\s(?<system_\1_failurerate>\d*)"

 

Unfortunately backreferencing for field name seems not to be supported.

Has anyone an idea? It needs to be added in a TA afterwards, hence eval etc. are not applicable 

Thanks :slightly_smiling_face:

Labels (1)
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

How about modifying the text into xml and extracting the fields that way

| makeresults
| eval _raw="SystemR1 Failure Rate 17
System2 Failure Rate 3"
| rex mode=sed "s/(?<system>System.+\sFailure\sRate) (?<rate>\d+)/<\1>\2<\/\1>/g s/\s+/_/g"
| spath

View solution in original post

SaltyHash123
Explorer

It works but i forgot to mention, that each log can have multiple matches. This solution will only find the first match in the logs

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps if you could share an anonymised example log entry or two - please use code block </> to share it

0 Karma

SaltyHash123
Explorer

 

 

 

SystemR1 Failure Rate 17
System2 Failure Rate 3

 

 

 

I held the whole example abstract as i can't even share anonymized data :confused_face: 

making a rex like the following one will match the first row with system R1 but ignore system 2

 

 

 

| rex field=_raw "System(?<id>R?\d)\sFailure\sRate\s(?<rate>\d+)
| eval system_{id}_failure = rate

 

 

 

using multivalues is also not possible, as this will be used as a transform in a globally available TA

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How about modifying the text into xml and extracting the fields that way

| makeresults
| eval _raw="SystemR1 Failure Rate 17
System2 Failure Rate 3"
| rex mode=sed "s/(?<system>System.+\sFailure\sRate) (?<rate>\d+)/<\1>\2<\/\1>/g s/\s+/_/g"
| spath

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=_raw "System(?<number>\d+)\sFailure\sRate\s(?<system_failurerate>\d*)"
| eval system_{number}_failurerate=system_failurerate
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...