Hi There!
Splunk newbie here! I'm using Splunk 6.4.1.
Issue: I have a dashboard with a text field. I want to use certain components of the text field value in creating a dashboard panel.
For example:
Input (say the text field token is "text"): cookies-5.2-6.22.yum1_3.5.coconut.
I want to use 5.2 and 6.22.yum1_3.5 in my query that creates a dashboard panel.
I know rex is normally used for extracting values from raw data or the source or something related to the events returned in a search, but I feel like there must be a way to do it on the textfield value. I've looked into the split function...but I don't have a good delimiter and I might want to further break down the 6.22.yum1_3.5 field in the future.
I haven't had any success with the rex command. Here's what I've tried:
| eval str="$text$" | rex field=str "regex...."
| rex field="$text$" "regex..."
I get the same error back for both: Error in 'rex' command: The regex does not extract anything. It should specify at least one named group.
I don't think the issue is with the regex, but here it is in case it is helpful at all: cookies\-(?\d+\.\d+)\-(?[0-9a-z\._]+[0-9])
Thanks so much!
The rex error is because your regex string does not do any field extractions. It should look something like this
... | rex field=str "cookies\-(?<field1>\d+\.\d+)\-(?<field2>[0-9a-z\._]+[0-9])" | ...
Naming the groups also resolves your I-might-want-to-further-break-down-the-6.22.yum1_3.5-field-in-the-future problem as you can easily pass field2 into another rex command for dissection.
Sorry, I'm very new to all of this. Not sure why my regex in the previous comment also came out with some characters missing (the greater-thans/less-thans/some of the slashes)--I'm guessing it is something to do with the fact that I'm not properly escaping the special characters...
Put backticks around the regex to keep the forum from messing with the special characters.
Great, thanks!
Oops...not sure why my regex came out like that. The regex I'm using in actuality looks pretty much exactly like richgalloway's:
"cookies-(?\d+.\d+)-(?[0-9a-z._]+[0-9])"
The rex error is because your regex string does not do any field extractions. It should look something like this
... | rex field=str "cookies\-(?<field1>\d+\.\d+)\-(?<field2>[0-9a-z\._]+[0-9])" | ...
Naming the groups also resolves your I-might-want-to-further-break-down-the-6.22.yum1_3.5-field-in-the-future problem as you can easily pass field2 into another rex command for dissection.
Thanks for the response. Oops, not sure why my regex came out like that. In actuality, my regex looks exactly like the one you have above.
So for some reason, the "str" is not recognized as regex-able.
Also, something I just tried:
When I run the dashboard panel query I get the error I mentioned above.
However, when I run the same query in the regular Splunk search window (with a hard coded value in place of the text field value), I don't get the error but the fields don't show up in the side bar.
Do you have any ideas why that is the case? Thanks again!
So we've established the problem is not with the regex string. That leaves either the quotes around $text$
or something in the unseen parts of the query that results in no results returned.
Thanks for following up--I really appreciate it.
Yup, I finally figured out that the issue was with how I put the regex search together. As I was experimenting around with the dashboard panel, I had somehow gotten my rex part to look something like:
| eval str="$text$"
| rex field= str"regex...."
That extra space after the equal sign and the deleted space after "str" completely did me in! I totally didn't notice it as I thought the issue was with the value of str coming from the dashboard textfield and str not being a field.
Then I read that the eval command actually creates a new field. One thing led to another, and I realized that all my regexes that were working looked different from the one I was currently working on...got to love syntax errors! Now I know!
Thanks again!