Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

equals sign in regexes

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 06:45 AM

I'm trying to match events in transforms.conf on key=value strings. (like EventCode=103 and so on).

It wouldn't work unless I did escape the equals sign with backslash. So config entry like

REGEX=ComputerName=whatever.domain.com

Doesn't seem to work, but

REGEX=ComputerName\=whatever.domain.com

 does.

And I generally don't mind it but I would love to see a piece of docs that says that the equals sign has to be ascaped. Normally it doesn't so I have no idea if it's something to do with regex itself, or with conf file parsing.

Can anyone point me to a proper doc?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 06:52 AM

@PickleRick Hey, There is not any exact document for only a "=" but you can find a doc for regex and you can get more info with this:
https://docs.splunk.com/Documentation/SCS/current/Search/Escapecharacters 
Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 07:17 AM

Yeah, I know that but that covers regular regex syntax (which is more-or less PCRE) and escaping special characters. And equals sign is not special (at least in regex).

As I said, I found a mention about escaping the equals sign on few posts on community but nothing in official docs 😕

0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 07:41 AM

@PickleRick Here is the official link from splunk where the list of all the special characters are mentioned, Also the "equal to" sign is present:
https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters 
Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 08:01 AM

Well yes, but it's a style guide, not a conf file spec 😉

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2021 10:48 AM
Hi
If/when you have found anything enough clear or confusing on docs you should leave comment on that page. Doc team are willing to clarifying those on docs.
r. Ismo
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 11:33 AM

Yeah, I know. I already "fixed" a thing or two on the doc pages 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...