Splunk Search

Referencing extracted fields from regex?

balidani
Explorer

Hello!

How would I go about referencing an already extracted field's regex pattern in a regex?
So I don't have to copy the pattern of the field each time.

For example I have an extracted field for "md5_hash", and I want to look for URLs with the following syntax: "^/some/thing/(md5_hash)". Is this possible?

Thanks in advance!

Tags (2)
1 Solution

richprescott
Path Finder

Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them:


[octet]
this would match only numbers from 0-255 (one octet in an ip)
REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?

[ipv4]
matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range
Extracts: ip, port
REGEX = (?[[octet]](?:\.[[octet]]){3})(?::[[int:port]])?

View solution in original post

richprescott
Path Finder

Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them:


[octet]
this would match only numbers from 0-255 (one octet in an ip)
REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?

[ipv4]
matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range
Extracts: ip, port
REGEX = (?[[octet]](?:\.[[octet]]){3})(?::[[int:port]])?

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!