I would like to store a regex pattern in a variable and use it to extract data. I've seen lots of similar questions but haven't been able to figure this out.
I can do the following
| makeresults count=1 | eval val=4 | rex field=val "(?<dig>\d)"
but I cannot
| makeresults count=1 | eval val=4 | eval ptn="(?<dig>\d)" | rex field=val ptn
Ultimately, I would have regex patterns stored in a CSV file and use lookup to get the correct pattern for a given query. It seems the above would a minimal implementation of this strategy.
Also note that both match()
and replace()
will pull RegEx from inside of a field name.
This is probably more what you are looking for:
https://answers.splunk.com/answers/386488/regex-in-lookuptable.html
That's great. Going to try that out.
Be sure to UpVote
over there and come back here to Accept
an answer if it works out.
You could use a transforms.conf stanza with the extract command to accomplish this.
Transforms would be your storage for your regex pattern and then you'd invoke it with extract during your search, or you can apply it automatically in props.conf
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Extract
You can use map
| makeresults count=1
| eval val=4
| eval ptn="(?<dig>\d)"
| map [ search | rex field=val $ptn$]
It would actually be:
| makeresults count=1
| eval val=4
| eval ptn="(?<dig>\d)"
| map search="| rex field=val $ptn$"
Except that the search results don't go into the map command for val
in that way, and you can't send the val
value into the search like this:
| makeresults count=1
| eval val=4
| eval ptn="(?<dig>\d)"
| map search="| rex field=$val$ $ptn$"
because the val
value isn't a field name. So you are stuck between a rock and a hard place. The rex
command requires a quoted string for the regex that it will use, not a field. I don't know of a way that you can do what you are wanting to do.
I always mess up the syntax of map... apologies
quite alright. I appreciate the input and will learn from it anyway.
unfortunately, we had a power outage on campus this morning and Splunk is not the first thing restored so it won't be today 😞
Here's what I meant to post:
| makeresults count=1
| eval val=4
| eval ptn="(?<dig>\d)"
| map search="search index=yourindex | rex field=val $ptn$"
OR:
| inputlookup yourlookup.csv
| map search="search index=yourindex | rex field=val $regexFieldInLookup$"
Didn't know about map. That seems useful.
This search did not work for me, though.