Solved: ddl bind with rex

Jasmine · ‎05-11-2024

In the below query if c= I, the reg expression is | rex field=attr.namespace "(?<DB>[^\.]*)"
if c= other than "I" then rex would be | rex field=attr.ns "(?<DB>[^\.]*)"

index="aaa" (source="/test/log/testing.log")  host IN(host1) c=N
          | rex field=attr.ns "(?<DB>[^\.]*)"
   	 | table  DB| dedup DB

how can i adjust the query?

tscroggins · ‎05-11-2024

Hi @Jasmine,

You can assign the field value to a temporary field first, and then use the rex command to extract the value you want:

index="aaa" (source="/test/log/testing.log") host IN (host1) c=*
| eval DB=if(c=="I", 'attr.namespace', 'attr.ns')
| rex field=DB "(?<DB>[^\.]*)"
| table DB
| dedup DB

View solution in original post

tscroggins · ‎05-11-2024

Hi @Jasmine,

You can assign the field value to a temporary field first, and then use the rex command to extract the value you want:

index="aaa" (source="/test/log/testing.log") host IN (host1) c=*
| eval DB=if(c=="I", 'attr.namespace', 'attr.ns')
| rex field=DB "(?<DB>[^\.]*)"
| table DB
| dedup DB

ddl bind with rex

stats

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

ddl bind with rex

stats

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...