I would like to define a tag in splunk using a regex.
host=st1231, host=1232, host=1233 --> the name of the tag should be "foo"
host=st1234, host=1235, host=1236, host=1237 -> the name of the tag should be "bar"
Is it possible to define these tags above using a regex? Or do I have to define for each host its own tag?
You can dow this with Python also.,Ya its You can dow with this This is a known problem with regex - you can't match pairs. Matching is either greedy, in which it matches the last one it finds, or non-greedy, in which it matches the first. You can't persuade a regex to count opening and closing brackets.
I would recommend loading it into a DOM and using that. If you are trying to implement an HTML parser, I would recommend using regex to lex it, then a left-right parser to parse the output of your lexer.
The only way that you can do any wildcarding is to use
* in an
eventtype definition and then you create a
tag with a value like this:
eventtype=<Your eventtype Name Here>`
Even so, you cannot use pipes
| in your eventtype so you are cannot use the
RegEx-ish commands like
regex, so this is not really an answer, other than to assure you that there is no answer.
1: You can use a list in your
eventtype. If you are using the GUI, when you create an
eventtype with a search string, there is place to assign it a
tag name, too.
2: You can create multiple
tag definitions, one-by-one, recycling the same
tag name, one for each host KVP.
tags support wildcards or regex. Alternatively you could use
search macros and
regex. Something like this should work
[foo] definition = index=st123* | regex host="st123[1-3]" [bar] definition = index=st123* | regex host="st123[4-7]"
In your search, you could use
`foo` OR `bar`
Tags CAN be created with wildcards:
Settings > Tags > All unique tag objects > New Tag:
Tag name = privileged_user
Field name = user
Field value = admin
Search: tag=privileged_user (will find admin, sysadmin, adminsap, etc)