Splunk Search
Highlighted

Is it possible to use an extracted field inside a regex?

Builder

Hi

I already extracted a field (blocknum) in my event, but now I would like to use it as part of a new regex. I want to do something like this:
`...| rex field=
raw " Block number blocknum (? < blockinfo>\w{1,}?)"` ---- where block_num is the field I already have.

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Builder

Before the w there is a back slash.

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Builder

I already tried enclosing the block_num in [ ] or in $$.

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Motivator

No No No !
By writing ...| rex field=_raw " Block number block_num (? < block_info>\w{1,}?)", your are telling splunk to search for a word which is after the group of words Block number block_num. Splunk will not take block_num here as a field.
So i am not sure that what you want is yet possible.

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Builder

I know the regex is wrong, I would like to know if there is a way to do it.

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Motivator

No! you can only take block_num as a word inside the regex. Let me know block_num values, i think i can help you extract block_info

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Builder

It is a 3-5 digit number.

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Motivator

Are these things in the same event? What does an event look like?

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Builder

Yes, they are in the same event. The event is quite a long and mostly a text. The structure of the events are like:
block number 500
... info (sometimes there are errors here)
.... info
End of block number
block number 501
....info
...info
End of block number 501
First I extract the error, then the block number where the error is, and finally I want to extract the whole block. Well... that's the idea.

0 Karma
Highlighted

Re: Is it possible to use an extracted field inside a regex?

Motivator

It looks like you're doing that inside out. Why not extract all the blocks first, and then filter your results based on whether there's an error in the block or not?

0 Karma