- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried again, rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\"" --- This acturally works.
and
rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""
is good reminding.
Thanks ITWhisperer.
One more question is , $ is a special symbol on regular expression , how does Splunk identify it as a prefix of a variable or a regular expression symbol ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Example, My raw text could be
"ue-CapabilityEnquiryExt": {"capabilityRequestFilterCommon": {"uplinkTxSwitchRequest-r16": "true"}, how can I embedded $kw$ in Rex expression , $kw$ is the text value input by user to search a certain key. it could be "uplinkTxSwitchRequest-r16" or some other key words .
I ever tried
rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\"", but didn't work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

In what way did this not work?
rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""
Although, to be fair, this does rely on the user using a regex compatible match value, so you could try this (to make it easier for the user
rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""
