Splunk Search

how to dynamically change rex pattern

vikasverma
Engager

Hello All,

I hope you all are doing well.

I have a situation wherein i have to pass current day value (Sun, Mon, Tue etc) in regex dynamically to capture a value  associated which i have in lookup for that day.

I have a lookup, maintenance.csv with below fields.

host; maintenance_days

host1; Sun=1, Mon=2, Tue=3 and so on

 

What i want is, depending on the day on which my search is ran, it should fetch value the corresponding value of the day. For example, if my search runs on Mon, it should return 2, if it runs on Tue, it should return 3 etc.

 

I thought i can do this by calculating the day on the search time and passing this as variable in my regex and extracting the value for the day (1, 2, 3 etc) by using fields in rex command but its not working.

 

Search:

| inputlookup "maintenance.csv"
| eval date_wday=strftime(strptime(now(),"%d/%m/%Y"),"%a")
| rex field=maintenance_days "date_wday\=(?P<mday>[^,])"

 

What i need is, if above search is run on "Mon", then regex in search becomes, "| rex field=maintenance_days "Mon\=(?P<mday>[^,])"". If it runs on Wednesday, then it becomes "| rex field=maintenance_days "Wed\=(?P<mday>[^,])"" etc.

I have tried $date_way$ instead of date_wday but it didnt worked. I have tried putting "| rex field=maintenance_days "date_wday\=(?P<mday>[^,])"" inside a macro and passing "date_wday" as argument, but it again took it as a string instead of field value associated with it.

I did had some sucess in passing field value via map command but i am just wondering if there is any nicer way of doing this.

 

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@vikasverma 

From your example, is it true that Sun=1 always and Mon=2 always and so on.

If so, then 

| eval date_wday=tonumber(strftime(now(),"%w"))+1

If not, and the numbers are not consistent, then why do you not have your csv with 

host;Sun;Mon;Tue;Wed;Thu;Fri;Sat
host1;1,2,3,4,5,6,7

 then you just lookup your day, but I'm not sure if that's what you're after.

An alternative is to do the logic from this search

| makeresults
| eval row="host1; Sun=1, Mon=2, Tue=3, Wed=4, Thu=5, Fri=6, Sat=7"
| rex field=row max_match=0 "(?<Day>\w{3})=(?<xday>\d+)"
| eval today=strftime(now(), "%a")
| eval mday=mvindex(xday, mvfind(Day, today))

where you are rexing out ALL the day name/value pairs into two multivalue fields, then finding the current day and using that as the offset to the mday values held above in the xday field.

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@vikasverma 

From your example, is it true that Sun=1 always and Mon=2 always and so on.

If so, then 

| eval date_wday=tonumber(strftime(now(),"%w"))+1

If not, and the numbers are not consistent, then why do you not have your csv with 

host;Sun;Mon;Tue;Wed;Thu;Fri;Sat
host1;1,2,3,4,5,6,7

 then you just lookup your day, but I'm not sure if that's what you're after.

An alternative is to do the logic from this search

| makeresults
| eval row="host1; Sun=1, Mon=2, Tue=3, Wed=4, Thu=5, Fri=6, Sat=7"
| rex field=row max_match=0 "(?<Day>\w{3})=(?<xday>\d+)"
| eval today=strftime(now(), "%a")
| eval mday=mvindex(xday, mvfind(Day, today))

where you are rexing out ALL the day name/value pairs into two multivalue fields, then finding the current day and using that as the offset to the mday values held above in the xday field.

 

0 Karma

vikasverma
Engager

@bowesmana, thanks for this. It worked brilliantly.. i will accept this as answer for this question. BUt again, just out of curiosity, is there any way to change rex pattern dynamically? i mean the way i was trying (obviously i ws doing something wrong)? 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@vikasverma 

passing variable things to other things is not easy, other than in the field pipeline, but as @richgalloway  pointed out, the map command can do this, but there is another technique where you can do this sort of thing.

| makeresults
| eval row="host1; Sun=1, Mon=2, Tue=3, Wed=4, Thu=5, Fri=6, Sat=7"
| eval today=strftime(now(), "%a")
| foreach today [ rex field=row "<<FIELD>>=(?<mday_rex>\d+)" ]
| foreach today [ eval mday_replace=replace(row,".*".<<FIELD>>."=(\d+).*", "\1") ]

In the above, the foreach statement is used to pass the field value to the subsearch, however, the REX statement does NOT work and mday_rex is null, I don't know why, but the second form, where the replace statement is used, DOES work and the mday_replace field is set correctly. That's just capturing today's day=X value using regex and removing all other text.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The $ syntax only works with tokens and the map command.

Try this

| inputlookup "maintenance.csv"
| eval date_wday=strftime(strptime(now(),"%d/%m/%Y"),"%a")
| rex field=maintenance_days date_wday."\=(?P<mday>[^,])"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...