In the code below, i want the explicit {5} to be replaced with a variable like {$session_length$}. Is this possible? If so, how? Thanks!
| makeresults
| eval test="abc5defgHijk"
| rex field=test "^.{3}(?<session_length>\d)(?<session>.{5})"
|fields session
I want the output of session="defgH".
I'm with @ccl0utierk on this one - there is no way to grab that with just one rex
command. You need a longer way: extract session_length first via eval
or rex
command first then use | eval session=substr(test,5,session_length)
(where 5 is the position where session starts, 1-based so it skips the first 4 characters) to get the session.
Here's another (late) solution.
| makeresults
| eval test="abc5defgHijk"
| eval session=substr( replace(test,"^.{3}\d",""),
1, tonumber(replace(test,"^.{3}(\d).*","\1")) )
|fields session
Cool challenge; thanks!
Like this:
| makeresults
| eval test="abc5defgHijk"
| rex field=test "^.{3}(?<session_length>\d)"
| eval {session_length} = session_length
| foreach 1* 2* 3* 4* 5* 6* 7* 8* 9*
[ rex field=test "^.{3}(?<session_length>\d)(?<session>.{<<FIELD>>})" ]
| fields - 0 1 2 3 4 5 6 7 8 9
I'm with @ccl0utierk on this one - there is no way to grab that with just one rex
command. You need a longer way: extract session_length first via eval
or rex
command first then use | eval session=substr(test,5,session_length)
(where 5 is the position where session starts, 1-based so it skips the first 4 characters) to get the session.
Indeed, this is where I was leading. 😉
Look at my solution. It actually works exactly as you would like, @mschaaf, without the downsides of this answer.
Unless there are other fields in the original event, starting with a digit, correct?
I like the elegance of your answer, but what are the downsides of mine?
You have hard-coded the 5
, mine gets it from a a field, which is what the OP, @mschaaf, was asking.
No, I did not hard-code the length - 5 was the length of the prefix (.{3}\d)+1 (substr is 1-based), the other 5 gets taken from session_length - look closer :). My solution will take 'defg' from 'abc4defgHijk' - please check.
Here is a search I've just run:
| makeresults | eval test="abc4defgHijk" | rex field=test "^.{3}(?<session_length>\d)" | eval session=substr(test,5,session_length)
My mistake, I misread your solution. I see it now. I will delete my entire comment thread tomorrow. Thanks for setting me straight.
No, please don't. It shows the weakness anyway: how do I make it more generic and calculate the starting offset instead of hard-coding it? I actually hate seeing those constants in the code. I'd say something like
| rex field=test "(?<prefix>.{3})(?<session_length>\d)" | eval session=substr(test,1+len(prefix)+len(session_length),session_length)
is more to my liking. How's that for a solution?
I like it just as much as mine. Let's UpVote
eachother and agree to a draw.
I upvoted yours quite some time ago. Also, it's not a competition - there is more than one way to do something, and it's great. I actually learned something from your answer - never used foreach
command, nor {{session_length}}
syntax, and just being aware of it is great.
Most people do not know that replace
can take values out of fields for it's arguments. It is a very special command in that regard and a super powerful tool for this kind of thing.
Mschaaf,
As far as I know, the REX command doesn't support a variable for the regex parameter. Can you give us an example of your data?
There might be other ways to do what you want to do?
To get 'defgH" you can use below rex
rex field=test "\d{1}+(?<sub>.\S{3})"
I downvoted this post because the answer is plain wrong - please test your suggestions before posting.
here is a search i ran to check your answer:
| makeresults | eval test="abc5defghijk" | rex field=test "\d{1}+(?<sub>.\s{3})"
you can change that digit 5 inside test to any other digit you want and sub will always be "defg".
I see that. Thanks for letting me know .