Solved: Re: How do you use value or capture groups as rege...

mschaaf · ‎01-10-2019

In the code below, i want the explicit {5} to be replaced with a variable like {$session_length$}. Is this possible? If so, how? Thanks!

| makeresults 
| eval test="abc5defgHijk" 
| rex field=test "^.{3}(?<session_length>\d)(?<session>.{5})"
|fields session

I want the output of session="defgH".

arkadyz1 · ‎01-11-2019

I'm with @ccl0utierk on this one - there is no way to grab that with just one rex command. You need a longer way: extract session_length first via eval or rex command first then use | eval session=substr(test,5,session_length) (where 5 is the position where session starts, 1-based so it skips the first 4 characters) to get the session.

View solution in original post

scombs · ‎06-19-2022

Here's another (late) solution.

| makeresults 
| eval test="abc5defgHijk" 
| eval session=substr( replace(test,"^.{3}\d",""),
    1, tonumber(replace(test,"^.{3}(\d).*","\1")) )
|fields session

woodcock · ‎01-11-2019

Cool challenge; thanks!

woodcock · ‎01-11-2019

Like this:

| makeresults 
| eval test="abc5defgHijk" 
| rex field=test "^.{3}(?<session_length>\d)"
| eval {session_length} = session_length
| foreach 1* 2* 3* 4* 5* 6* 7* 8* 9*
    [ rex field=test "^.{3}(?<session_length>\d)(?<session>.{<<FIELD>>})" ]
| fields - 0 1 2 3 4 5 6 7 8 9

arkadyz1 · ‎01-11-2019

I'm with @ccl0utierk on this one - there is no way to grab that with just one rex command. You need a longer way: extract session_length first via eval or rex command first then use | eval session=substr(test,5,session_length) (where 5 is the position where session starts, 1-based so it skips the first 4 characters) to get the session.

ccl0utier · ‎01-11-2019

Indeed, this is where I was leading. 😉

woodcock · ‎01-16-2019

Look at my solution. It actually works exactly as you would like, @mschaaf, without the downsides of this answer.

arkadyz1 · ‎01-16-2019

Unless there are other fields in the original event, starting with a digit, correct?

I like the elegance of your answer, but what are the downsides of mine?

woodcock · ‎01-16-2019

You have hard-coded the 5, mine gets it from a a field, which is what the OP, @mschaaf, was asking.

arkadyz1 · ‎01-16-2019

No, I did not hard-code the length - 5 was the length of the prefix (.{3}\d)+1 (substr is 1-based), the other 5 gets taken from session_length - look closer :). My solution will take 'defg' from 'abc4defgHijk' - please check.
Here is a search I've just run:
| makeresults | eval test="abc4defgHijk" | rex field=test "^.{3}(?<session_length>\d)" | eval session=substr(test,5,session_length)

woodcock · ‎01-16-2019

My mistake, I misread your solution. I see it now. I will delete my entire comment thread tomorrow. Thanks for setting me straight.

arkadyz1 · ‎01-16-2019

No, please don't. It shows the weakness anyway: how do I make it more generic and calculate the starting offset instead of hard-coding it? I actually hate seeing those constants in the code. I'd say something like
| rex field=test "(?<prefix>.{3})(?<session_length>\d)" | eval session=substr(test,1+len(prefix)+len(session_length),session_length)
is more to my liking. How's that for a solution?

woodcock · ‎01-16-2019

I like it just as much as mine. Let's UpVote eachother and agree to a draw.

arkadyz1 · ‎01-17-2019

I upvoted yours quite some time ago. Also, it's not a competition - there is more than one way to do something, and it's great. I actually learned something from your answer - never used foreach command, nor {{session_length}} syntax, and just being aware of it is great.

woodcock · ‎01-18-2019

Most people do not know that replace can take values out of fields for it's arguments. It is a very special command in that regard and a super powerful tool for this kind of thing.

ccl0utier · ‎01-11-2019

Mschaaf,

As far as I know, the REX command doesn't support a variable for the regex parameter. Can you give us an example of your data?
There might be other ways to do what you want to do?

Vijeta · ‎01-10-2019

To get 'defgH" you can use below rex

rex field=test "\d{1}+(?<sub>.\S{3})"

arkadyz1 · ‎01-16-2019

I downvoted this post because the answer is plain wrong - please test your suggestions before posting.
here is a search i ran to check your answer:
| makeresults | eval test="abc5defghijk" | rex field=test "\d{1}+(?<sub>.\s{3})"
you can change that digit 5 inside test to any other digit you want and sub will always be "defg".

Vijeta · ‎01-16-2019

I see that. Thanks for letting me know .

How do you use value or capture groups as regex's curly bracket number parameter?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...