Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

equals sign in regexes

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 06:45 AM

I'm trying to match events in transforms.conf on key=value strings. (like EventCode=103 and so on).

It wouldn't work unless I did escape the equals sign with backslash. So config entry like

REGEX=ComputerName=whatever.domain.com

Doesn't seem to work, but

REGEX=ComputerName\=whatever.domain.com

 does.

And I generally don't mind it but I would love to see a piece of docs that says that the equals sign has to be ascaped. Normally it doesn't so I have no idea if it's something to do with regex itself, or with conf file parsing.

Can anyone point me to a proper doc?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 06:52 AM

@PickleRick Hey, There is not any exact document for only a "=" but you can find a doc for regex and you can get more info with this:
https://docs.splunk.com/Documentation/SCS/current/Search/Escapecharacters 
Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 07:17 AM

Yeah, I know that but that covers regular regex syntax (which is more-or less PCRE) and escaping special characters. And equals sign is not special (at least in regex).

As I said, I found a mention about escaping the equals sign on few posts on community but nothing in official docs 😕

0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 07:41 AM

@PickleRick Here is the official link from splunk where the list of all the special characters are mentioned, Also the "equal to" sign is present:
https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters 
Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 08:01 AM

Well yes, but it's a style guide, not a conf file spec 😉

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2021 10:48 AM
Hi
If/when you have found anything enough clear or confusing on docs you should leave comment on that page. Doc team are willing to clarifying those on docs.
r. Ismo
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 11:33 AM

Yeah, I know. I already "fixed" a thing or two on the doc pages 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...