Using rex to prototype a field

When defining fields, it is often convenient to build the pattern directly in the query and then copy the pattern into the configuration. You might have noticed that the test in the Extract Fields workflow used rex.

Let's turn the subnet pattern we built earlier into a field. First, we build the query with the rex statement:

sourcetype="impl_splunk_gen" ip="*"
| rex "ip=(?P<subnet>\d\.\d\.\d+)\.\d+"
| table ip subnet

Since we know there will be an ip field in the events which we care about, we can use ip="*" to limit the results only to events that have a value for that field.

The table command takes a list of fields and displays a table, one row per event:

As we can see, the rex statement doesn't always work. Looking at the pattern again, you may notice that the first two instances of \d are now missing their trailing +. Without the plus sign, only addresses with a single digit in both their first and second sections will match. After adding the missing plus signs to our pattern, all rows will have a subnet:

sourcetype="impl_splunk_gen" ip="*"
| rex "ip=(?P<subnet>\d+\.\d+\.\d+)\.\d+"
| table ip subnet

We can now take the pattern from the rex statement and use it to build a configuration.