Hello All,
I hope you all are doing well.
I have a situation wherein i have to pass current day value (Sun, Mon, Tue etc) in regex dynamically to capture a value associated which i have in lookup for that day.
I have a lookup, maintenance.csv with below fields.
host; maintenance_days
host1; Sun=1, Mon=2, Tue=3 and so on
What i want is, depending on the day on which my search is ran, it should fetch value the corresponding value of the day. For example, if my search runs on Mon, it should return 2, if it runs on Tue, it should return 3 etc.
I thought i can do this by calculating the day on the search time and passing this as variable in my regex and extracting the value for the day (1, 2, 3 etc) by using fields in rex command but its not working.
Search:
| inputlookup "maintenance.csv"
| eval date_wday=strftime(strptime(now(),"%d/%m/%Y"),"%a")
| rex field=maintenance_days "date_wday\=(?P<mday>[^,])"
What i need is, if above search is run on "Mon", then regex in search becomes, "| rex field=maintenance_days "Mon\=(?P<mday>[^,])"". If it runs on Wednesday, then it becomes "| rex field=maintenance_days "Wed\=(?P<mday>[^,])"" etc.
I have tried $date_way$ instead of date_wday but it didnt worked. I have tried putting "| rex field=maintenance_days "date_wday\=(?P<mday>[^,])"" inside a macro and passing "date_wday" as argument, but it again took it as a string instead of field value associated with it.
I did had some sucess in passing field value via map command but i am just wondering if there is any nicer way of doing this.
From your example, is it true that Sun=1 always and Mon=2 always and so on.
If so, then
| eval date_wday=tonumber(strftime(now(),"%w"))+1
If not, and the numbers are not consistent, then why do you not have your csv with
host;Sun;Mon;Tue;Wed;Thu;Fri;Sat
host1;1,2,3,4,5,6,7
then you just lookup your day, but I'm not sure if that's what you're after.
An alternative is to do the logic from this search
| makeresults
| eval row="host1; Sun=1, Mon=2, Tue=3, Wed=4, Thu=5, Fri=6, Sat=7"
| rex field=row max_match=0 "(?<Day>\w{3})=(?<xday>\d+)"
| eval today=strftime(now(), "%a")
| eval mday=mvindex(xday, mvfind(Day, today))
where you are rexing out ALL the day name/value pairs into two multivalue fields, then finding the current day and using that as the offset to the mday values held above in the xday field.
From your example, is it true that Sun=1 always and Mon=2 always and so on.
If so, then
| eval date_wday=tonumber(strftime(now(),"%w"))+1
If not, and the numbers are not consistent, then why do you not have your csv with
host;Sun;Mon;Tue;Wed;Thu;Fri;Sat
host1;1,2,3,4,5,6,7
then you just lookup your day, but I'm not sure if that's what you're after.
An alternative is to do the logic from this search
| makeresults
| eval row="host1; Sun=1, Mon=2, Tue=3, Wed=4, Thu=5, Fri=6, Sat=7"
| rex field=row max_match=0 "(?<Day>\w{3})=(?<xday>\d+)"
| eval today=strftime(now(), "%a")
| eval mday=mvindex(xday, mvfind(Day, today))
where you are rexing out ALL the day name/value pairs into two multivalue fields, then finding the current day and using that as the offset to the mday values held above in the xday field.
@bowesmana, thanks for this. It worked brilliantly.. i will accept this as answer for this question. BUt again, just out of curiosity, is there any way to change rex pattern dynamically? i mean the way i was trying (obviously i ws doing something wrong)?
passing variable things to other things is not easy, other than in the field pipeline, but as @richgalloway pointed out, the map command can do this, but there is another technique where you can do this sort of thing.
| makeresults
| eval row="host1; Sun=1, Mon=2, Tue=3, Wed=4, Thu=5, Fri=6, Sat=7"
| eval today=strftime(now(), "%a")
| foreach today [ rex field=row "<<FIELD>>=(?<mday_rex>\d+)" ]
| foreach today [ eval mday_replace=replace(row,".*".<<FIELD>>."=(\d+).*", "\1") ]
In the above, the foreach statement is used to pass the field value to the subsearch, however, the REX statement does NOT work and mday_rex is null, I don't know why, but the second form, where the replace statement is used, DOES work and the mday_replace field is set correctly. That's just capturing today's day=X value using regex and removing all other text.
The $ syntax only works with tokens and the map command.
Try this
| inputlookup "maintenance.csv"
| eval date_wday=strftime(strptime(now(),"%d/%m/%Y"),"%a")
| rex field=maintenance_days date_wday."\=(?P<mday>[^,])"