I'm trying to use rex to extract a value from an event.
In order to avoid writing out the pattern too many times, I have decided to place the pattern inside a macro with a specified argument passed in.
First, sample data looks like this:
DataType=1, PowerMax=50, PowerMin=10
To invoke the macro, I might use a command like this:
and inside the macro, I want to do something like this:
... | eval re=", ".$arg1$."=(?<bar>[^,]*)" | rex field=_raw re
which i wanted to extract bar=50, but I get an error similar to this:
Error in 'rex' command: The regex 're' does not extract anything. It should specify at least one named group. Format: (?<name>...).
No answer/solution to your problem but at least an explanation, so just putting this in as a comment: rex does not interpret "re" as the variable you just created. It will interpret it as the STRING "re", which is why it will complain that you're not extracting anything.
Just one doubt, your sample data pretty much looks like ideal input data for splunk (key value pair which are , separated) and Splunk should already have extracted all these field. You sure fields are not automatically extracted and you need a rex to do it?
You can use subsearches to achieve this. It's a bit ugly but does the job. We're going to be using that subsearches treat the fields "query" and "search" differently than other field names in the way that the field names aren't used in the output. So
[... | eval foo="bar" | fields foo]
would return something like
[... | eval query="bar" | fields query]
We can't use this output right away in your scenario though because of the parantheses. Thankfully you can change the format that's used by the subsearch when returning results, by invoking the command
format with the proper parameters at the end. In this case we just want to remove all parantheses so we just set empty strings for everything:
[... | eval query="bar" | fields query | format "" "" "" "" "" ""]
This will return
We can now use this in your regex case. (The
stats count at the beginning of the subsearch is just a dummy search, it's just there to be able to run the
... | rex field=_raw [|stats count | eval query=", ".$arg1$."=(?<bar>[^,]*)" | fields query | format "" "" "" "" "" ""]
YES. This works, but only to a certain extent. It seems the engine doesn't like to see the comma inside the character class, ie [^,]... the error I get is the following... Error in 'rex' command: Encountered the following error while compiling the regex 'PowerMax=(?
somesoni2, thanks for the reply. Yes those kvp's are automatically extracted by Splunk, but as related to my other question (http://answers.splunk.com/answers/114240/dynamic-field-value-extraction), I can't use those field directly unless I hard-code the field I want to extract/compare
Yeah while I provided an answer to the specific question you had below, I agree that you might be onto the wrong path here. That is often the case when you have to resort to the kind of ugliness that's in my answer 🙂