Dashboards & Visualizations

Rex on Value from Dashboard Textfield

penguin1725
Explorer

Hi There!

Splunk newbie here! I'm using Splunk 6.4.1.

Issue: I have a dashboard with a text field. I want to use certain components of the text field value in creating a dashboard panel.

For example:
Input (say the text field token is "text"): cookies-5.2-6.22.yum1_3.5.coconut.
I want to use 5.2 and 6.22.yum1_3.5 in my query that creates a dashboard panel.

I know rex is normally used for extracting values from raw data or the source or something related to the events returned in a search, but I feel like there must be a way to do it on the textfield value. I've looked into the split function...but I don't have a good delimiter and I might want to further break down the 6.22.yum1_3.5 field in the future.

I haven't had any success with the rex command. Here's what I've tried:

| eval str="$text$" | rex field=str "regex...."
| rex field="$text$" "regex..."

I get the same error back for both: Error in 'rex' command: The regex does not extract anything. It should specify at least one named group.
I don't think the issue is with the regex, but here it is in case it is helpful at all: cookies\-(?\d+\.\d+)\-(?[0-9a-z\._]+[0-9])

Thanks so much!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The rex error is because your regex string does not do any field extractions. It should look something like this

... | rex field=str "cookies\-(?<field1>\d+\.\d+)\-(?<field2>[0-9a-z\._]+[0-9])" | ...

Naming the groups also resolves your I-might-want-to-further-break-down-the-6.22.yum1_3.5-field-in-the-future problem as you can easily pass field2 into another rex command for dissection.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

penguin1725
Explorer

Sorry, I'm very new to all of this. Not sure why my regex in the previous comment also came out with some characters missing (the greater-thans/less-thans/some of the slashes)--I'm guessing it is something to do with the fact that I'm not properly escaping the special characters...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Put backticks around the regex to keep the forum from messing with the special characters.

---
If this reply helps you, Karma would be appreciated.
0 Karma

penguin1725
Explorer

Great, thanks!

0 Karma

penguin1725
Explorer

Oops...not sure why my regex came out like that. The regex I'm using in actuality looks pretty much exactly like richgalloway's:
"cookies-(?\d+.\d+)-(?[0-9a-z._]+[0-9])"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The rex error is because your regex string does not do any field extractions. It should look something like this

... | rex field=str "cookies\-(?<field1>\d+\.\d+)\-(?<field2>[0-9a-z\._]+[0-9])" | ...

Naming the groups also resolves your I-might-want-to-further-break-down-the-6.22.yum1_3.5-field-in-the-future problem as you can easily pass field2 into another rex command for dissection.

---
If this reply helps you, Karma would be appreciated.

penguin1725
Explorer

Thanks for the response. Oops, not sure why my regex came out like that. In actuality, my regex looks exactly like the one you have above.

So for some reason, the "str" is not recognized as regex-able.

Also, something I just tried:
When I run the dashboard panel query I get the error I mentioned above.
However, when I run the same query in the regular Splunk search window (with a hard coded value in place of the text field value), I don't get the error but the fields don't show up in the side bar.
Do you have any ideas why that is the case? Thanks again!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So we've established the problem is not with the regex string. That leaves either the quotes around $text$ or something in the unseen parts of the query that results in no results returned.

---
If this reply helps you, Karma would be appreciated.
0 Karma

penguin1725
Explorer

Thanks for following up--I really appreciate it.

Yup, I finally figured out that the issue was with how I put the regex search together. As I was experimenting around with the dashboard panel, I had somehow gotten my rex part to look something like:
| eval str="$text$"
| rex field= str"regex...."

That extra space after the equal sign and the deleted space after "str" completely did me in! I totally didn't notice it as I thought the issue was with the value of str coming from the dashboard textfield and str not being a field.

Then I read that the eval command actually creates a new field. One thing led to another, and I realized that all my regexes that were working looked different from the one I was currently working on...got to love syntax errors! Now I know!

Thanks again!

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...