Hello!
How would I go about referencing an already extracted field's regex pattern in a regex?
So I don't have to copy the pattern of the field each time.
For example I have an extracted field for "md5_hash", and I want to look for URLs with the following syntax: "^/some/thing/(md5_hash)". Is this possible?
Thanks in advance!
Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them:
[octet]
this would match only numbers from 0-255 (one octet in an ip)
REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?
[ipv4]
matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range
Extracts: ip, port
REGEX = (?
Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them:
[octet]
this would match only numbers from 0-255 (one octet in an ip)
REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]?
[ipv4]
matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range
Extracts: ip, port
REGEX = (?