Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

equals sign in regexes

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 06:45 AM

I'm trying to match events in transforms.conf on key=value strings. (like EventCode=103 and so on).

It wouldn't work unless I did escape the equals sign with backslash. So config entry like

REGEX=ComputerName=whatever.domain.com

Doesn't seem to work, but

REGEX=ComputerName\=whatever.domain.com

 does.

And I generally don't mind it but I would love to see a piece of docs that says that the equals sign has to be ascaped. Normally it doesn't so I have no idea if it's something to do with regex itself, or with conf file parsing.

Can anyone point me to a proper doc?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 06:52 AM

@PickleRick Hey, There is not any exact document for only a "=" but you can find a doc for regex and you can get more info with this:
https://docs.splunk.com/Documentation/SCS/current/Search/Escapecharacters 
Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 07:17 AM

Yeah, I know that but that covers regular regex syntax (which is more-or less PCRE) and escaping special characters. And equals sign is not special (at least in regex).

As I said, I found a mention about escaping the equals sign on few posts on community but nothing in official docs 😕

0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 07:41 AM

@PickleRick Here is the official link from splunk where the list of all the special characters are mentioned, Also the "equal to" sign is present:
https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters 
Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 08:01 AM

Well yes, but it's a style guide, not a conf file spec 😉

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2021 10:48 AM
Hi
If/when you have found anything enough clear or confusing on docs you should leave comment on that page. Doc team are willing to clarifying those on docs.
r. Ismo
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 11:33 AM

Yeah, I know. I already "fixed" a thing or two on the doc pages 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...