Hi,
I would like to how we can pass a field as a parameter to the rex expression in Splunk.
I am using the below which is not working for some reason.
<Search query> | rex <Field1> | rex "<tag1>?(P=Field1)</tag1><tag2>(?P<Field2>)" | table Field1,Field2
Is there any other way we can pass parameters to a rex expression?
I'm not sure exactly what you're asking either. I've used this below to use the value of a capture group later on in the rex, where "\1" is the value from the first capture group - in this case the malware_domain field. And I have to believe there is a way to escape field values as well is needed (would need to read up on rex), but maybe not.
rex "CEF.+rewrite (?<malware_domain>\S+).+(\1|nsdname)\.(?<apt_policy>[^\"]+)"
I am not exactly sure what you mean but perhaps you can make use of a macro
to paramaterize your use of rex
:
http://docs.splunk.com/Documentation/Splunk/6.2.4/Search/Usesearchmacros
Thanks for your comments woodcock.
I tried creating a parameterised macro, but the macro is not handling the "Field Name" as a parameter.
Instead of populating the value of the field, the macro populates the Field Name itself.
The reason that I did not give a more clear answer was because your question was unclear. Do you mean that you mean that for this:
<Search query> | rex field={FieldWithValue} "SomeRegEx"
You would like the rex
performed on the field name that is represented by the value
of the FieldWithValue
field?