- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to refer a eval reference in rex to change the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to refer a eval reference in rex to change the group name dynamically?
How to use eval reference in rex command.
Here is what I have tried so far:
MyMacro: myrextest(1)
| eval test= "Hello"
| eval myinput = $myinput$
| eval rexString = "'$myinput$':'(?<$myinput$>[^*']+)"
| rex field=payload "'$myinput$':'(?<$myinput$>[^*']+)"
Search String without eval and it is working fine :
| eval payload = "{'description':'snapshot created from
test','snapShotName':'instance1-disk-2-cio-
1564744963','sourceDisk':'instance1-disk-2','status':'READY'}"
`myrextest("snapShotName")`
output from search string:
rexString: 'snapShotName':'(?<snapShotName>[^*']+)
Search String with eval:
| makeresults
| eval payload = "{'description':'snapshot created from
test','snapShotName':'instance1-disk-2-cio-1564744963','sourceDisk':'instance1-
disk-2','status':'READY'}"
| eval myMacroInput = "snapShotName"
`myrextest(myMacroInput)`
output from search string:
'myMacroInput':'(?<myMacroInput>[^*']+)
Based on my observation when I am passing eval reference to my macro and using it in rex it is not replacing the value it is replacing with eval reference.
Can some one please help me on it, I have tired a lot but unfortunately I didn't get any solution .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you seek can't be done, although it would be great if it could. Macros are expanded before the search runs so there are no field values to pass to the macro. See https://ideas.splunk.com/ideas/EID-I-56
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi richgalloway,
In my case macro is optional, I have tried without macro also but getting same result.
| makeresults
| eval payload = "{'description':'snapshot created from ciolake','snapShotName':'instance1-disk-2-cio-1564744963','sourceDisk':'instance1-disk-2','status':'READY'}"
| eval keyName1 = "snapShotName",keyName2 = "snapShotName"
| foreach keyName*[
eval myRexTestString = <<FIELD>>."':'(?<hello>[^*']+)"
| rex field=payload <<FIELD>>."':'(?<rexgroupnam>[^*']+)"
| rename rexgroupnam as <<FIELD>> ]
Output from search command:
myRexTestString : snapShotName':'(?<hello>[^*']+)
keyName1: null
keyName2: null
Is there any possibility to use map instead of foreach, if yes can you please provide me the example how to use map in this case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my experience, we can't use the concatenation operator or field names with the rex command.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the confirmation .
After changing my input parameter format, I am able to achieve it
| makeresults
| eval payload = "{'description':'snapshot created from ciolake','snapShotName':'instance1-disk-2-cio-1564744963','sourceDisk':'instance1-disk-2','status':'READY'}"
| foreach snapShotName description sourceDisk
[eval <<FIELD>> = "<<FIELD>>" | rex field=payload "'<<FIELD>>':'(?<rexgroupnam>[^*']+)"
| rename rexgroupnam as "<<FIELD>>" ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After all these rounds, I finally get to see what you really want. (You could have get to this point by illustrating how actual results differ from intended results.
I am not sure why foreach is less desirable than mvmap. But you can use replace to achieve what you desired. Given this macro:
[myrextest(2)]
args = data,myinput
definition = replace($data$, ".*?'".$myinput$."':'([^']+).*", "\1")
iseval = 0
I took the liberty of adding another arg to represent data field because it's just fair. The trick is really about interpolation of $myinput$. (Although I wasn't able to make it work in rex command and unsure why.)
This is how you can use it - with the same data emulation you have shown:
| makeresults
| fields - _time
| eval payload = "{'description':'snapshot created fromtest','snapShotName':'instance1-disk-2-cio-1564744963','sourceDisk':'instance1-disk-2','status':'READY'}"
``` data emulation above ```
| eval onename = "status", anyname = mvappend("status", "sourceDisk", "snapShotName", "description")
| eval onefield = `myrextest(payload, onename)`
| eval anyfield = mvmap(anyname, `myrextest(payload, anyname)`)
| fields onename onefield anyname anyfield
Here is the result:
| onename | onefield | anyname | anyfield |
| status | READY | status sourceDisk snapShotName description | READY instance1-disk-2 instance1-disk-2-cio-1564744963 snapshot created fromtest |
Is this what you are looking for?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
