Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Rex in splunk support variable in regular expression?

Tao_Zeng
Explorer
‎08-08-2022 11:42 PM

Does Rex in splunk support variable in regular expression ? For example,   user could input a text from UI, usually I need  a variable like $kw$  to get the input from user,  and  use $kw$  in rex command  , Can splunk support this way ? and how ?  Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

View solution in original post

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 01:34 AM

I tried again, rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""   --- This acturally works.

and 

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""

is good reminding. 

Thanks  ITWhisperer.

One  more question is , $  is a special  symbol  on regular expression , how does Splunk identify it as a prefix  of a variable  or  a regular expression symbol ?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 07:04 PM

This make sense, thanks for detailed explanation .

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-08-2022 11:47 PM

Example, My raw  text could be 

"ue-CapabilityEnquiryExt": {"capabilityRequestFilterCommon": {"uplinkTxSwitchRequest-r16": "true"},   how can I embedded $kw$ in Rex expression , $kw$  is the text value input by user to search a certain key.  it could be "uplinkTxSwitchRequest-r16" or some other key words .

I ever tried 

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\"", but didn't work

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 12:27 AM

In what way did this not work?

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""

Although, to be fair, this does rely on the user using a regex compatible match value, so you could try this (to make it easier for the user

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...