Re: Is it possible to define tags using regex?

tgdvopab · ‎06-21-2016

I would like to define a tag in splunk using a regex.

Example:
host=st1231, host=1232, host=1233 --> the name of the tag should be "foo"
host=st1234, host=1235, host=1236, host=1237 -> the name of the tag should be "bar"

Is it possible to define these tags above using a regex? Or do I have to define for each host its own tag?

ram148280 · ‎06-21-2019

You can dow this with Python also.,Ya its You can dow with this This is a known problem with regex - you can't match pairs. Matching is either greedy, in which it matches the last one it finds, or non-greedy, in which it matches the first. You can't persuade a regex to count opening and closing brackets.

I would recommend loading it into a DOM and using that. If you are trying to implement an HTML parser, I would recommend using regex to lex it, then a left-right parser to parse the output of your lexer.

woodcock · ‎06-21-2016

The only way that you can do any wildcarding is to use * in an eventtype definition and then you create a tag with a value like this:

eventtype=<Your eventtype Name Here>`

Even so, you cannot use pipes | in your eventtype so you are cannot use the RegEx-ish commands like regex, so this is not really an answer, other than to assure you that there is no answer.

_jgpm_ · ‎01-05-2017

@woodcock, I tried creating an event type, but it wouldn't let me include search commands in the event type. I'm on 6.4.3.

Can you help me understand why this is the case?

woodcock · ‎06-20-2019

I have clarified my answer.

tgdvopab · ‎06-21-2016

Thanks for your answer!

Would it be possible to make a list of hosts in a tag?
Example: host=(st1231 OR host=1232 OR host=1233) as tag "foo"?

woodcock · ‎06-21-2016

No, but

1: You can use a list in your eventtype. If you are using the GUI, when you create an eventtype with a search string, there is place to assign it a tag name, too.
2: You can create multiple tag definitions, one-by-one, recycling the same tag name, one for each host KVP.

sundareshr · ‎06-21-2016

Don't believe tags support wildcards or regex. Alternatively you could use search macros and regex. Something like this should work

[foo]
definition = index=st123* | regex host="st123[1-3]"

[bar]
definition = index=st123* | regex host="st123[4-7]"

In your search, you could use

`foo` 

OR 

`bar`

tgdvopab · ‎06-21-2016

Thanks for your answer!

Would it be possible to make a list of hosts in a tag?
Example: host=(st1231 OR host=1232 OR host=1233) as tag "foo"?

tgdvopab · ‎06-21-2016

The regex should look like: host=st123[1-3] for "foo" and host=st123[4-7] for "bar"

mfleischman_spl · ‎06-19-2019

Tags CAN be created with wildcards:
Settings > Tags > All unique tag objects > New Tag:
Tag name = privileged_user
Field name = user
Field value = admin

Search: tag=privileged_user (will find admin, sysadmin, adminsap, etc)

Is it possible to define tags using regex?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio