Re: Is it possible to use an extracted field insid... - Page 2

edrivera3 · ‎04-22-2015

Hi

I already extracted a field (block_num) in my event, but now I would like to use it as part of a new regex. I want to do something like this:
...| rex field=_raw " Block number block_num (? < block_info>\w{1,}?)" ---- where block_num is the field I already have.

stephanefotso · ‎04-22-2015

No No No !
By writing ...| rex field=_raw " Block number block_num (? < block_info>\w{1,}?)", your are telling splunk to search for a word which is after the group of words Block number block_num. Splunk will not take block_num here as a field.
So i am not sure that what you want is yet possible.

SGF

edrivera3 · ‎04-22-2015

I know the regex is wrong, I would like to know if there is a way to do it.

stephanefotso · ‎04-22-2015

No! you can only take block_num as a word inside the regex. Let me know block_num values, i think i can help you extract block_info

SGF

edrivera3 · ‎04-22-2015

It is a 3-5 digit number.

edrivera3 · ‎04-22-2015

Before the w there is a back slash.

edrivera3 · ‎04-22-2015

I already tried enclosing the block_num in [ ] or in $$.

Is it possible to use an extracted field inside a regex?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life