Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write regex to extract a field's values and pass them to a new field using rex?

johntopley
Explorer
‎09-01-2014 12:40 AM

How can I use the value from a field named geog in the regular expression passed to the rex command? In the example below, I'd like foo to be substitued by whatever value geog has.

rex field=_raw "foo:(?<area>[^&]*)"

Thanks in advance.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎09-02-2014 07:58 AM

Here is what you want:

rex "geog:([^\&]+)&([^\/]+)\\/\1:(?P<area>[^\&]+)"
(be sure to escape the forward slash...the markdown is not allowing that to show.)

The first capturing group grabs the value of geog and then later, you reference the first capturing group with the \1

this worked for me.

You can see exactly how it works if you put your event and the regex into something like regex101.com

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎09-02-2014 07:58 AM

Here is what you want:

rex "geog:([^\&]+)&([^\/]+)\\/\1:(?P<area>[^\&]+)"
(be sure to escape the forward slash...the markdown is not allowing that to show.)

The first capturing group grabs the value of geog and then later, you reference the first capturing group with the \1

this worked for me.

You can see exactly how it works if you put your event and the regex into something like regex101.com

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎09-03-2014 08:10 AM

Awesome! Thank you for accepting the answer. Be sure to vote it up as well so that it is more likely to bubble to the top when other folks are looking for something similar.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

johntopley
Explorer
‎09-03-2014 02:56 AM

That did the trick - thanks!

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎09-02-2014 02:55 AM

You are on the right track I think - just replace | rex field=_raw with | rex field=geog.

0 Karma
Reply
Solved! Jump to solution

johntopley
Explorer
‎09-02-2014 04:21 AM

It's a URL query string like this:

querystring=geog:2011WARDH&totals:false&dm/2011WARDH:E06000016,E12000004,E06000016&etc...

The geog field is extracted and returns 2011WARDH in this example. I want to extract E06000016,E12000004,E06000016 into a new area field. As you can see, they're prefixed with the 2011WARDH value from the geog field. This is not a fixed value, so I need it to vary within the regular expression as it varies within the geog field.

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎09-02-2014 03:16 AM

I'm confused - you want to use the value in the geog field but geog is not the field you want to extract the information from? Can you post an example? You can can have multiple capturing groups in a single rex command or have multiple rex commands. For example | rex field=geog "(?[^:]+):(?[^&]*)" | stats values(area) by foo

0 Karma
Reply
Solved! Jump to solution

johntopley
Explorer
‎09-02-2014 03:03 AM

No, geog is not the field I want rex to extract the information from. I just want to dynamically build up my rex regular expression to use whatever value the geog field has rather than hard-coding a value in the regex.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-02-2014 02:02 AM

... | eval foo = geog |

gives the value of the field geog to the field foo.

Somehow, I think that this is not what you're after. Please provide some sample events, your search, and your desired outcome.

0 Karma
Reply
Solved! Jump to solution

johntopley
Explorer
‎09-01-2014 01:46 AM

No, it's not static text. It's a field value. I've edited by question accordingly.

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎09-01-2014 01:31 AM

By "it will only be one value" do you mean that it is static text? Because then you would just use the text...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...