Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting rex field with a newly extracted rex field

griffinpair
Path Finder
‎08-11-2017 10:10 AM

Below is the current search I have put together to extract a couple fields. The extraction of the ClientID from the source works perfect. I now need to extract the filetype from the import_File field based on the previously extracted ClientID.

Search:

source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* Moved earliest=-36h@h
| rex field=source "importhelpers\\\\+(?ClientID[^\\\\]+)"
| rex field=import_File ""ClientID"\\\\\\\\\\+(?filetype[^\\]+)"

import_File Examples: 

D:\XSP\Builds\IRM\InternalImports\IRM\Account\IRM_Accounts_20170810_csv.xml 
D:\XSP\Builds\USBI\InternalImports\IRM\Manager\IRM_Accounts_20170810_csv.xml
  • In these examples I am trying to extract from the import_File where file_Type will be Account or Manager.
  • It is important to note that IRM and USBI right before that is the ClientID that is extracted from the first rex field. This ClientID will be different for each client and I will need to extract the filetype based on this.
0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2017 12:48 PM

If I understand you correctly, you would like to use the values of the previously generated-by-rex-at-search-time field ClientID inside of a later rex call as part of the RegEx string/pattern, right?

0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2017 12:08 PM

If the field import_File contains both ClientID and filetype, why not just extract ClientID along with filetype from import_File field only. This way you can avoid reference previously extracted value (dynamic) in your 2nd rex.

source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* Moved earliest=-36h@h
| rex field=import_File "InternalImports\\\\(?<ClinetID>[^\\\]+)\\\\(?<filetype>[^\\\]+)"
0 Karma
Reply

sbbadri
Motivator
‎08-11-2017 11:04 AM

@griffinpair

Assuming that IRM and USBI are clientID's. Account and Manager are filetype's

| makeresults | eval import_File="D:\XSP\Builds\IRM\InternalImports\IRM\Account\IRM_Accounts_20170810_csv.xml;D:\XSP\Builds\USBI\InternalImports\IRM\Manager\IRM_Accounts_20170810_csv.xml " | makemv delim=";" import_File| mvexpand import_File| eval test=replace(import_File,"\\","#") | rex field=test "\S+:#\w+#\w+#(?P<ClientID1>\w+)#\w+#\w+#(?P<filetype>\w+)#(?P\S+)" | eval filetype=if(clientID==clientID1, filetype, "NA")

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2017 10:51 AM

I reformatted your OP but some of the text in the rex commands was lost when you submitted it because it was not called out as code. Please fix.

0 Karma
Reply

starcher
Influencer
‎08-11-2017 10:14 AM

You can stack extractions. It is easier to see in a transforms conf stanza. See in this example of extracting header then pulling from the header field as the source key.

http://www.georgestarcher.com/splunk-bringing-in-data-minecraft-the-model-method/

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...