Solved: Referencing extracted fields from regex?

balidani · ‎06-09-2012

Hello!

How would I go about referencing an already extracted field's regex pattern in a regex?
So I don't have to copy the pattern of the field each time.

For example I have an extracted field for "md5_hash", and I want to look for URLs with the following syntax: "^/some/thing/(md5_hash)". Is this possible?

Thanks in advance!

richprescott · ‎06-09-2012

Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them:

[octet] this would match only numbers from 0-255 (one octet in an ip) REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?

[ipv4]
matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range
Extracts: ip, port
REGEX = (?[[octet]](?:\.[[octet]]){3})(?::[[int:port]])?

View solution in original post

richprescott · ‎06-09-2012

Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them:

[octet] this would match only numbers from 0-255 (one octet in an ip) REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?

[ipv4]
matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range
Extracts: ip, port
REGEX = (?[[octet]](?:\.[[octet]]){3})(?::[[int:port]])?

Referencing extracted fields from regex?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms