Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting rex field with a newly extracted rex field

griffinpair
Path Finder
‎08-11-2017 10:10 AM

Below is the current search I have put together to extract a couple fields. The extraction of the ClientID from the source works perfect. I now need to extract the filetype from the import_File field based on the previously extracted ClientID.

Search:

source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* Moved earliest=-36h@h
| rex field=source "importhelpers\\\\+(?ClientID[^\\\\]+)"
| rex field=import_File ""ClientID"\\\\\\\\\\+(?filetype[^\\]+)"

import_File Examples: 

D:\XSP\Builds\IRM\InternalImports\IRM\Account\IRM_Accounts_20170810_csv.xml 
D:\XSP\Builds\USBI\InternalImports\IRM\Manager\IRM_Accounts_20170810_csv.xml
  • In these examples I am trying to extract from the import_File where file_Type will be Account or Manager.
  • It is important to note that IRM and USBI right before that is the ClientID that is extracted from the first rex field. This ClientID will be different for each client and I will need to extract the filetype based on this.
0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2017 12:48 PM

If I understand you correctly, you would like to use the values of the previously generated-by-rex-at-search-time field ClientID inside of a later rex call as part of the RegEx string/pattern, right?

0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2017 12:08 PM

If the field import_File contains both ClientID and filetype, why not just extract ClientID along with filetype from import_File field only. This way you can avoid reference previously extracted value (dynamic) in your 2nd rex.

source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* Moved earliest=-36h@h
| rex field=import_File "InternalImports\\\\(?<ClinetID>[^\\\]+)\\\\(?<filetype>[^\\\]+)"
0 Karma
Reply

sbbadri
Motivator
‎08-11-2017 11:04 AM

@griffinpair

Assuming that IRM and USBI are clientID's. Account and Manager are filetype's

| makeresults | eval import_File="D:\XSP\Builds\IRM\InternalImports\IRM\Account\IRM_Accounts_20170810_csv.xml;D:\XSP\Builds\USBI\InternalImports\IRM\Manager\IRM_Accounts_20170810_csv.xml " | makemv delim=";" import_File| mvexpand import_File| eval test=replace(import_File,"\\","#") | rex field=test "\S+:#\w+#\w+#(?P<ClientID1>\w+)#\w+#\w+#(?P<filetype>\w+)#(?P\S+)" | eval filetype=if(clientID==clientID1, filetype, "NA")

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2017 10:51 AM

I reformatted your OP but some of the text in the rex commands was lost when you submitted it because it was not called out as code. Please fix.

0 Karma
Reply

starcher
Influencer
‎08-11-2017 10:14 AM

You can stack extractions. It is easier to see in a transforms conf stanza. See in this example of extracting header then pulling from the header field as the source key.

http://www.georgestarcher.com/splunk-bringing-in-data-minecraft-the-model-method/

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...