Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Rex in splunk support variable in regular expression?

Tao_Zeng
Explorer
‎08-08-2022 11:42 PM

Does Rex in splunk support variable in regular expression ? For example,   user could input a text from UI, usually I need  a variable like $kw$  to get the input from user,  and  use $kw$  in rex command  , Can splunk support this way ? and how ?  Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

View solution in original post

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 01:34 AM

I tried again, rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""   --- This acturally works.

and 

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""

is good reminding. 

Thanks  ITWhisperer.

One  more question is , $  is a special  symbol  on regular expression , how does Splunk identify it as a prefix  of a variable  or  a regular expression symbol ?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 07:04 PM

This make sense, thanks for detailed explanation .

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-08-2022 11:47 PM

Example, My raw  text could be 

"ue-CapabilityEnquiryExt": {"capabilityRequestFilterCommon": {"uplinkTxSwitchRequest-r16": "true"},   how can I embedded $kw$ in Rex expression , $kw$  is the text value input by user to search a certain key.  it could be "uplinkTxSwitchRequest-r16" or some other key words .

I ever tried 

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\"", but didn't work

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 12:27 AM

In what way did this not work?

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""

Although, to be fair, this does rely on the user using a regex compatible match value, so you could try this (to make it easier for the user

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...