Hi
I already extracted a field (block_num) in my event, but now I would like to use it as part of a new regex. I want to do something like this:
...| rex field=_raw " Block number block_num (? < block_info>\w{1,}?)"
---- where block_num is the field I already have.
No No No !
By writing ...| rex field=_raw " Block number block_num (? < block_info>\w{1,}?)"
, your are telling splunk to search for a word which is after the group of words Block number block_num
. Splunk will not take block_num here as a field.
So i am not sure that what you want is yet possible.
I know the regex is wrong, I would like to know if there is a way to do it.
No! you can only take block_num as a word inside the regex. Let me know block_num values, i think i can help you extract block_info
It is a 3-5 digit number.
Before the w there is a back slash.
I already tried enclosing the block_num in [ ] or in $$.