Splunk Search

Is it possible to define tags using regex?

tgdvopab
Path Finder

I would like to define a tag in splunk using a regex.

Example:
host=st1231, host=1232, host=1233 --> the name of the tag should be "foo"
host=st1234, host=1235, host=1236, host=1237 -> the name of the tag should be "bar"

Is it possible to define these tags above using a regex? Or do I have to define for each host its own tag?

Tags (3)
0 Karma

ram148280
New Member

You can dow this with Python also.,Ya its You can dow with this This is a known problem with regex - you can't match pairs. Matching is either greedy, in which it matches the last one it finds, or non-greedy, in which it matches the first. You can't persuade a regex to count opening and closing brackets.

I would recommend loading it into a DOM and using that. If you are trying to implement an HTML parser, I would recommend using regex to lex it, then a left-right parser to parse the output of your lexer.

0 Karma

woodcock
Esteemed Legend

The only way that you can do any wildcarding is to use * in an eventtype definition and then you create a tag with a value like this:

eventtype=<Your eventtype Name Here>`

Even so, you cannot use pipes | in your eventtype so you are cannot use the RegEx-ish commands like regex, so this is not really an answer, other than to assure you that there is no answer.

0 Karma

_jgpm_
Communicator

@woodcock, I tried creating an event type, but it wouldn't let me include search commands in the event type. I'm on 6.4.3.

Can you help me understand why this is the case?

0 Karma

woodcock
Esteemed Legend

I have clarified my answer.

0 Karma

tgdvopab
Path Finder

Thanks for your answer!

Would it be possible to make a list of hosts in a tag?
Example: host=(st1231 OR host=1232 OR host=1233) as tag "foo"?

0 Karma

woodcock
Esteemed Legend

No, but

1: You can use a list in your eventtype. If you are using the GUI, when you create an eventtype with a search string, there is place to assign it a tag name, too.
2: You can create multiple tag definitions, one-by-one, recycling the same tag name, one for each host KVP.

0 Karma

sundareshr
Legend

Don't believe tags support wildcards or regex. Alternatively you could use search macros and regex. Something like this should work

[foo]
definition = index=st123* | regex host="st123[1-3]"

[bar]
definition = index=st123* | regex host="st123[4-7]"

In your search, you could use

`foo` 

OR 

`bar`
0 Karma

tgdvopab
Path Finder

Thanks for your answer!

Would it be possible to make a list of hosts in a tag?
Example: host=(st1231 OR host=1232 OR host=1233) as tag "foo"?

0 Karma

tgdvopab
Path Finder

The regex should look like: host=st123[1-3] for "foo" and host=st123[4-7] for "bar"

0 Karma

mfleischman_spl
Splunk Employee
Splunk Employee

Tags CAN be created with wildcards:
   Settings > Tags > All unique tag objects > New Tag:
 Tag name = privileged_user
 Field name = user
 Field value = admin

Search: tag=privileged_user (will find admin, sysadmin, adminsap, etc)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...