Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pass a token to regex or pass a field to regex

spicy
Path Finder
‎07-29-2021 01:34 PM

I am extracting a list of free text string in the _ raw and creating a new field.
The list of terms comes from user input, on the search input of a dashboard. 

I cant seem to find how to place the token/variable in the regex... probably something easy im missing.

$token$="test|google|domain|badguy"      (formmated this way so regex can see it as OR separated list)
rex field=_raw " (?<extractedfieldname>$token$) (does not work)

Is there a way to do this?

if not a token option, can i:

eval tokenname=$token$
rex field=_raw " (?<extractedfieldname>'tokenname') (does not work)

After the token/variable is placed correctly this is the search format im looking for:

rex field=_raw " (?<extractedfieldname>test|google|domain|badguy) (this does work)

thanks for any help!

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-29-2021 02:35 PM

You could try something like this

| makeresults
| eval _raw="test|google|domain|badguy|something else"
| eval event=split(_raw,"|")
| mvexpand event
| eval _raw="random text ".event." other random text"
| fields - event _time



| eval search="test|google|domain|badguy"
| eval extractedfieldname=replace(_raw,"(?:.*)(?<t>".search.")(?:.*)","\1")
| eval extractedfieldname=if(extractedfieldname=_raw,null(),extractedfieldname)

The first part (before the blank lines) sets up some sample dummy events.

The second part sets a field to be the regex you want (could be from a token), then uses  replace to extract the matching string from _raw. If there is no match, the matched string is equal to _raw so this just needs to be replaced with null in this instance.

Reply

spicy
Path Finder
‎07-29-2021 05:28 PM


| rex max_match=0 field=_raw "(?<extractedfieldname>(17|7|1))"

this will work but will still need the variable to be passed to this rex

 

0 Karma
Reply

spicy
Path Finder
‎07-29-2021 04:40 PM

with the replace is it only gonna show me one hit from the passed list or does it need to be appended in some way?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-29-2021 11:38 PM

Yes you are going to get one hit (which is what your examples were doing); in this case it will be the last one. If you want the first one add a ? to the first unnamed group

| eval extractedfieldname=replace(_raw,"(?:.*?)(?<t>".search.")(?:.*)","\1")

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...