Solved: Referencing extracted fields from regex?

balidani · ‎06-09-2012

Hello!

How would I go about referencing an already extracted field's regex pattern in a regex?
So I don't have to copy the pattern of the field each time.

For example I have an extracted field for "md5_hash", and I want to look for URLs with the following syntax: "^/some/thing/(md5_hash)". Is this possible?

Thanks in advance!

richprescott · ‎06-09-2012

Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them:

[octet] this would match only numbers from 0-255 (one octet in an ip) REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?

[ipv4]
matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range
Extracts: ip, port
REGEX = (?[[octet]](?:\.[[octet]]){3})(?::[[int:port]])?

View solution in original post

richprescott · ‎06-09-2012

Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them:

[octet] this would match only numbers from 0-255 (one octet in an ip) REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?

[ipv4]
matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range
Extracts: ip, port
REGEX = (?[[octet]](?:\.[[octet]]){3})(?::[[int:port]])?

Referencing extracted fields from regex?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation