Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to use tokens in rex fields?

codywsj
Loves-to-Learn
‎07-30-2020 07:50 AM

Hi, 

Is it possible to use tokens in rex fields like this?

| rex "\d{1,2}-\S{3}\s\d{2}:\d{2}:\d{2}.\d{3}\s\S{3}\s\[(?<ip2>$spec_ip$)\]\s%NICWIN-4-Security_560_Security[\S\s]+?(?<log_time2>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s\d{2}\s\d{2}:\d{2}:\d{2})[\S\s]+?\S*Object\sName:\s(?<object_name2>[\S\s]+?)New\sHandle\sID[\S\s]+?Primary\sUser\sName:\s(?<username2>[\S\s]+?)\s+"


0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-30-2020 11:08 PM

I don't see why not - easy enough to test - just make a dashboard with a text input token spec_ip and see. See this

<form>
  <label>test_ip</label>
  <fieldset submitButton="false">
    <input type="text" token="spec_ip" searchWhenChanged="true">
      <label>IP format</label>
      <default>\d+\.\d+\.\d+\.\d+</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Parsing IP address with $spec_ip$ format</title>
        <search>
          <query>| makeresults 
| eval IP=(random()%256).".".(random()%256).".".(random()%256).".".(random()%256)
| rex field=IP "(?&lt;ip2&gt;$spec_ip$)"
| eval format=$spec_ip|s$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...