- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting rex field with a newly extracted rex fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting rex field with a newly extracted rex field
Below is the current search I have put together to extract a couple fields. The extraction of the ClientID from the source works perfect. I now need to extract the filetype from the import_File field based on the previously extracted ClientID.
Search:
source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* Moved earliest=-36h@h
| rex field=source "importhelpers\\\\+(?ClientID[^\\\\]+)"
| rex field=import_File ""ClientID"\\\\\\\\\\+(?filetype[^\\]+)"
import_File Examples:
D:\XSP\Builds\IRM\InternalImports\IRM\Account\IRM_Accounts_20170810_csv.xml
D:\XSP\Builds\USBI\InternalImports\IRM\Manager\IRM_Accounts_20170810_csv.xml
- In these examples I am trying to extract from the
import_Filewherefile_Typewill beAccountorManager. - It is important to note that
IRMandUSBIright before that is theClientIDthat is extracted from the first rex field. ThisClientIDwill be different for each client and I will need to extract thefiletypebased on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand you correctly, you would like to use the values of the previously generated-by-rex-at-search-time field ClientID inside of a later rex call as part of the RegEx string/pattern, right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the field import_File contains both ClientID and filetype, why not just extract ClientID along with filetype from import_File field only. This way you can avoid reference previously extracted value (dynamic) in your 2nd rex.
source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* Moved earliest=-36h@h
| rex field=import_File "InternalImports\\\\(?<ClinetID>[^\\\]+)\\\\(?<filetype>[^\\\]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that IRM and USBI are clientID's. Account and Manager are filetype's
| makeresults | eval import_File="D:\XSP\Builds\IRM\InternalImports\IRM\Account\IRM_Accounts_20170810_csv.xml;D:\XSP\Builds\USBI\InternalImports\IRM\Manager\IRM_Accounts_20170810_csv.xml " | makemv delim=";" import_File| mvexpand import_File| eval test=replace(import_File,"\\","#") | rex field=test "\S+:#\w+#\w+#(?P<ClientID1>\w+)#\w+#\w+#(?P<filetype>\w+)#(?P\S+)" | eval filetype=if(clientID==clientID1, filetype, "NA")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I reformatted your OP but some of the text in the rex commands was lost when you submitted it because it was not called out as code. Please fix.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can stack extractions. It is easier to see in a transforms conf stanza. See in this example of extracting header then pulling from the header field as the source key.
http://www.georgestarcher.com/splunk-bringing-in-data-minecraft-the-model-method/
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
