Splunk Search

Regex from variable

bobweinerjr
Explorer

I would like to store a regex pattern in a variable and use it to extract data. I've seen lots of similar questions but haven't been able to figure this out.

I can do the following

| makeresults count=1 | eval val=4 | rex field=val "(?<dig>\d)"

but I cannot

| makeresults count=1 | eval val=4 | eval ptn="(?<dig>\d)" | rex field=val ptn

Ultimately, I would have regex patterns stored in a CSV file and use lookup to get the correct pattern for a given query. It seems the above would a minimal implementation of this strategy.

Tags (2)
0 Karma

woodcock
Esteemed Legend

Also note that both match() and replace() will pull RegEx from inside of a field name.

0 Karma

woodcock
Esteemed Legend

This is probably more what you are looking for:

https://answers.splunk.com/answers/386488/regex-in-lookuptable.html

0 Karma

bobweinerjr
Explorer

That's great. Going to try that out.

0 Karma

woodcock
Esteemed Legend

Be sure to UpVote over there and come back here to Accept an answer if it works out.

0 Karma

oscar84x
Contributor

You could use a transforms.conf stanza with the extract command to accomplish this.
Transforms would be your storage for your regex pattern and then you'd invoke it with extract during your search, or you can apply it automatically in props.conf

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Extract

0 Karma

jkat54
SplunkTrust
SplunkTrust

You can use map

| makeresults count=1 
| eval val=4 
| eval ptn="(?<dig>\d)" 
| map [ search | rex field=val $ptn$]
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

It would actually be:

| makeresults count=1 
| eval val=4 
| eval ptn="(?<dig>\d)"
| map search="| rex field=val $ptn$"

Except that the search results don't go into the map command for val in that way, and you can't send the val value into the search like this:

| makeresults count=1 
| eval val=4 
| eval ptn="(?<dig>\d)"
| map search="| rex field=$val$ $ptn$"

because the val value isn't a field name. So you are stuck between a rock and a hard place. The rex command requires a quoted string for the regex that it will use, not a field. I don't know of a way that you can do what you are wanting to do.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I always mess up the syntax of map... apologies

0 Karma

bobweinerjr
Explorer

quite alright. I appreciate the input and will learn from it anyway.
unfortunately, we had a power outage on campus this morning and Splunk is not the first thing restored so it won't be today 😞

jkat54
SplunkTrust
SplunkTrust

Here's what I meant to post:

 | makeresults count=1 
 | eval val=4 
 | eval ptn="(?<dig>\d)" 
 | map search="search index=yourindex | rex field=val $ptn$"

OR:

 | inputlookup yourlookup.csv 
 | map search="search index=yourindex | rex field=val $regexFieldInLookup$"
0 Karma

bobweinerjr
Explorer

Didn't know about map. That seems useful.

This search did not work for me, though.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...