Using regex function with pattern stored in a variable

dave_krebs — Fri, 14 Feb 2014 01:44:03 GMT

I have dashboard panel with a dropdown menu on it. When the user selects a category from the dropdown, it will be stored in the variable $category$.

Based on the category selected by the user, I want to apply a regular expression to the "name" field in my search.

For example, if the user selects the category "category1", then I want to apply the regular expression "^(my|reg|ex)" to the "name" field in my search.

Here's what I tried:

sourcetype = mysourcetype | eval catregex = case(match($app_category$,"category1"),"^(my|reg|ex)" | regex name = catregex

This is not working. I'm thinking that the problem is with the command regex name = catregex

Maybe the field/variable that I created, catregex, is being interpreted as a string in that context? If so, how can I make sure it's interpreted as a variable?

I also tried something like this with regex command, but it seems this is not possible:

regex name = case(match($app_category$,"category1"),"^(my|reg|ex)"

Any help would be greatly appreciated!

Thanks, fellow Splunkers!

Re: Using regex function with pattern stored in a variable

yannK — Fri, 14 Feb 2014 02:06:50 GMT

can you try to cast the variable in a field with an eval first ?

Re: Using regex function with pattern stored in a variable

dave_krebs — Wed, 07 May 2014 13:45:15 GMT

I eventually figured this one out. The fix is to put $app_category$ in double quotes:

eval mycategory="$app_category$"

topic Re: Using regex function with pattern stored in a variable in Splunk Search

Using regex function with pattern stored in a variable

Re: Using regex function with pattern stored in a variable

Re: Using regex function with pattern stored in a variable