Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass a field as a parameter to the rex command?

Murali2888
Communicator
‎08-11-2015 12:11 AM

Hi,

I would like to how we can pass a field as a parameter to the rex expression in Splunk.
I am using the below which is not working for some reason.

<Search query> | rex <Field1> | rex "<tag1>?(P=Field1)</tag1><tag2>(?P<Field2>)" | table Field1,Field2

Is there any other way we can pass parameters to a rex expression?

0 Karma
Reply

maciep
Champion
‎08-12-2015 08:07 AM

I'm not sure exactly what you're asking either. I've used this below to use the value of a capture group later on in the rex, where "\1" is the value from the first capture group - in this case the malware_domain field. And I have to believe there is a way to escape field values as well is needed (would need to read up on rex), but maybe not.

rex "CEF.+rewrite (?<malware_domain>\S+).+(\1|nsdname)\.(?<apt_policy>[^\"]+)"
0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 08:49 AM

I am not exactly sure what you mean but perhaps you can make use of a macro to paramaterize your use of rex:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Search/Usesearchmacros

0 Karma
Reply

Murali2888
Communicator
‎08-11-2015 10:56 PM

Thanks for your comments woodcock.

I tried creating a parameterised macro, but the macro is not handling the "Field Name" as a parameter.
Instead of populating the value of the field, the macro populates the Field Name itself.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-12-2015 07:09 AM

The reason that I did not give a more clear answer was because your question was unclear. Do you mean that you mean that for this:

 <Search query> | rex field={FieldWithValue} "SomeRegEx"

You would like the rex performed on the field name that is represented by the value of the FieldWithValue field?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...