How to use eval reference in rex command.
Here is what I have tried so far:
MyMacro: myrextest(1)
| eval test= "Hello"
| eval myinput = $myinput$
| eval rexString = "'$myinput$':'(?<$myinput$>[^*']+)"
| rex field=payload "'$myinput$':'(?<$myinput$>[^*']+)"
Search String without eval and it is working fine :
| eval payload = "{'description':'snapshot created from
test','snapShotName':'instance1-disk-2-cio-
1564744963','sourceDisk':'instance1-disk-2','status':'READY'}"
`myrextest("snapShotName")`
output from search string:
rexString: 'snapShotName':'(?<snapShotName>[^*']+)
Search String with eval:
| makeresults
| eval payload = "{'description':'snapshot created from
test','snapShotName':'instance1-disk-2-cio-1564744963','sourceDisk':'instance1-
disk-2','status':'READY'}"
| eval myMacroInput = "snapShotName"
`myrextest(myMacroInput)`
output from search string:
'myMacroInput':'(?<myMacroInput>[^*']+)
Based on my observation when I am passing eval reference to my macro and using it in rex it is not replacing the value it is replacing with eval reference.
Can some one please help me on it, I have tired a lot but unfortunately I didn't get any solution .
What you seek can't be done, although it would be great if it could. Macros are expanded before the search runs so there are no field values to pass to the macro. See https://ideas.splunk.com/ideas/EID-I-56
Hi richgalloway,
In my case macro is optional, I have tried without macro also but getting same result.
| makeresults
| eval payload = "{'description':'snapshot created from ciolake','snapShotName':'instance1-disk-2-cio-1564744963','sourceDisk':'instance1-disk-2','status':'READY'}"
| eval keyName1 = "snapShotName",keyName2 = "snapShotName"
| foreach keyName*[
eval myRexTestString = <<FIELD>>."':'(?<hello>[^*']+)"
| rex field=payload <<FIELD>>."':'(?<rexgroupnam>[^*']+)"
| rename rexgroupnam as <<FIELD>> ]
Output from search command:
myRexTestString : snapShotName':'(?<hello>[^*']+)
keyName1: null
keyName2: null
Is there any possibility to use map instead of foreach, if yes can you please provide me the example how to use map in this case.
In my experience, we can't use the concatenation operator or field names with the rex command.
Thank you for the confirmation .
After changing my input parameter format, I am able to achieve it
| makeresults
| eval payload = "{'description':'snapshot created from ciolake','snapShotName':'instance1-disk-2-cio-1564744963','sourceDisk':'instance1-disk-2','status':'READY'}"
| foreach snapShotName description sourceDisk
[eval <<FIELD>> = "<<FIELD>>" | rex field=payload "'<<FIELD>>':'(?<rexgroupnam>[^*']+)"
| rename rexgroupnam as "<<FIELD>>" ]
After all these rounds, I finally get to see what you really want. (You could have get to this point by illustrating how actual results differ from intended results.
I am not sure why foreach is less desirable than mvmap. But you can use replace to achieve what you desired. Given this macro:
[myrextest(2)]
args = data,myinput
definition = replace($data$, ".*?'".$myinput$."':'([^']+).*", "\1")
iseval = 0
I took the liberty of adding another arg to represent data field because it's just fair. The trick is really about interpolation of $myinput$. (Although I wasn't able to make it work in rex command and unsure why.)
This is how you can use it - with the same data emulation you have shown:
| makeresults
| fields - _time
| eval payload = "{'description':'snapshot created fromtest','snapShotName':'instance1-disk-2-cio-1564744963','sourceDisk':'instance1-disk-2','status':'READY'}"
``` data emulation above ```
| eval onename = "status", anyname = mvappend("status", "sourceDisk", "snapShotName", "description")
| eval onefield = `myrextest(payload, onename)`
| eval anyfield = mvmap(anyname, `myrextest(payload, anyname)`)
| fields onename onefield anyname anyfield
Here is the result:
onename | onefield | anyname | anyfield |
status | READY | status sourceDisk snapShotName description | READY instance1-disk-2 instance1-disk-2-cio-1564744963 snapshot created fromtest |
Is this what you are looking for?