Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pass a token to regex or pass a field to regex

spicy
Path Finder
‎07-29-2021 01:34 PM

I am extracting a list of free text string in the _ raw and creating a new field.
The list of terms comes from user input, on the search input of a dashboard. 

I cant seem to find how to place the token/variable in the regex... probably something easy im missing.

$token$="test|google|domain|badguy"      (formmated this way so regex can see it as OR separated list)
rex field=_raw " (?<extractedfieldname>$token$) (does not work)

Is there a way to do this?

if not a token option, can i:

eval tokenname=$token$
rex field=_raw " (?<extractedfieldname>'tokenname') (does not work)

After the token/variable is placed correctly this is the search format im looking for:

rex field=_raw " (?<extractedfieldname>test|google|domain|badguy) (this does work)

thanks for any help!

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-29-2021 02:35 PM

You could try something like this

| makeresults
| eval _raw="test|google|domain|badguy|something else"
| eval event=split(_raw,"|")
| mvexpand event
| eval _raw="random text ".event." other random text"
| fields - event _time



| eval search="test|google|domain|badguy"
| eval extractedfieldname=replace(_raw,"(?:.*)(?<t>".search.")(?:.*)","\1")
| eval extractedfieldname=if(extractedfieldname=_raw,null(),extractedfieldname)

The first part (before the blank lines) sets up some sample dummy events.

The second part sets a field to be the regex you want (could be from a token), then uses  replace to extract the matching string from _raw. If there is no match, the matched string is equal to _raw so this just needs to be replaced with null in this instance.

Reply

spicy
Path Finder
‎07-29-2021 05:28 PM


| rex max_match=0 field=_raw "(?<extractedfieldname>(17|7|1))"

this will work but will still need the variable to be passed to this rex

 

0 Karma
Reply

spicy
Path Finder
‎07-29-2021 04:40 PM

with the replace is it only gonna show me one hit from the passed list or does it need to be appended in some way?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-29-2021 11:38 PM

Yes you are going to get one hit (which is what your examples were doing); in this case it will be the last one. If you want the first one add a ? to the first unnamed group

| eval extractedfieldname=replace(_raw,"(?:.*?)(?<t>".search.")(?:.*)","\1")

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...