How to access the Regexes saved in the Knowledge?
Hello all,
I have recently started working with Cribl and my question may seem to be easier one, however, I couldn’t find an option to do this in right way and hence reaching out for help.
In one of my use case I am getting a json from source and my requirement is to check whether the attributes in the object are matching with some of the existing Regexes in Crible knowledge section.
I was expecting something like below,
For ex: To access Schema, we use C.Schema(‘Schema Name’).Validate()
In the same way can we do
C.Regexes(‘Name of the regex’).test()
Please advise on this with any suggestions. Thanks in advance!
Best Answer
-
Possible workaround: You can store regex in a lookup file, and use the C.Lookup() function to retrieve the patterns based on whatever key suits you. For an example of this, see the Cisco ASA Pack.
1
Answers
-
When you're in a field that requires a regex (eg, Regex Extract or Mask functions), and click the popout, you'll have a search field where you can retrieve saved regex. Below I typed IP and see the 'IPv4 address' saved regex at the top.
0 -
Thank you so much for you response @Jon Rust . I see this as an option when we need to extract or match the pattern against the input event.
To be specific about my requirement, I have a json input and wanted to create a new field using the 'Eval' function if the value of a specific key matches the Regex pattern defined in the Knowledge instead of hard coding the pattern in the Variable Expression block. I was able to access the Schema using the C.Schema to validate the schema. In a similar fashion I am trying to understand if we have mechanism to pull the saved patterns outside of Regex only support fields like you have mentioned in earlier comment.
Hope this makes sense. Thanks again!
1 -
That's a great idea for an enhancement, but unfortuantely not something we can do right now. The regex library is basically a copy-paste into fields marked as regex fields (green stripe). It doesn't update if the library changes, and you can't reference it from an Eval.
0 -
I've got your point. It really is a great option, because, for example Eval function supports the value expression which is already accessing the Cribl libraries ( i.e C.Schema), adding the access to other option in Knowledge especially will be useful for variety of use cases not know at this moment. Please let me know if you need any more inputs.
For now, I would consider writing a custom js function using the 'code' function available in advanced section.0 -
Possible workaround: You can store regex in a lookup file, and use the C.Lookup() function to retrieve the patterns based on whatever key suits you. For an example of this, see the Cisco ASA Pack.
1 -
Agree. I will consider this as well. Will post my final outcome after trying out the options.
0 -
I have ended up using this suggestion and it worked out for me. Thanks again, @Jon Rust!
0
