Solved: Re: how to use field value present in one rex in...

Chandrasekhar6 · ‎12-07-2023

index=cs |  rex "Type=(?<type>[a-z]+)"
| rex field=AResponse.BResponse.Message mode=sed "s/Ref number+\w+\sfailed on num:*+/NetworkA failed on num: /g"

Here I hardcoded NetworkA in second rex
but actually its a dynamic value and it should be changed according to value present in field type

How to use type value in second rex

justinatpnnl · ‎12-07-2023

It seems like you may be able to accomplish what you want with an eval:

index=cs 
| rex "Type=(?<type>[a-z]+)"
| eval AResponse.BResponse.Message = replace('AResponse.BResponse.Message', "Ref number \w+ failed on num: ", type." failed on num: ")

View solution in original post

justinatpnnl · ‎12-07-2023

It seems like you may be able to accomplish what you want with an eval:

index=cs 
| rex "Type=(?<type>[a-z]+)"
| eval AResponse.BResponse.Message = replace('AResponse.BResponse.Message', "Ref number \w+ failed on num: ", type." failed on num: ")

Chandrasekhar6 · ‎12-07-2023

Tq so much

richgalloway · ‎12-07-2023

Try using the concatenation operator to include the field from the first regex in the second.

index=cs 
| rex "Type=(?<type>[a-z]+)"
| rex field=AResponse.BResponse.Message mode=sed "s/Ref number+\w+\sfailed on num:*+/" . type . " failed on num: /g"

---
If this reply helps you, Karma would be appreciated.

Chandrasekhar6 · ‎12-07-2023

I am getting this error

Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string

When I removed double quotes getting this ouput : . type . failed on num

how to use field value present in one rex into another rex

rex

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel