Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does Rex in splunk support variable in regular expression?

Tao_Zeng
Explorer
‎08-08-2022 11:42 PM

Does Rex in splunk support variable in regular expression ? For example,   user could input a text from UI, usually I need  a variable like $kw$  to get the input from user,  and  use $kw$  in rex command  , Can splunk support this way ? and how ?  Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

View solution in original post

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 01:34 AM

I tried again, rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""   --- This acturally works.

and 

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""

is good reminding. 

Thanks  ITWhisperer.

One  more question is , $  is a special  symbol  on regular expression , how does Splunk identify it as a prefix  of a variable  or  a regular expression symbol ?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 07:04 PM

This make sense, thanks for detailed explanation .

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-08-2022 11:47 PM

Example, My raw  text could be 

"ue-CapabilityEnquiryExt": {"capabilityRequestFilterCommon": {"uplinkTxSwitchRequest-r16": "true"},   how can I embedded $kw$ in Rex expression , $kw$  is the text value input by user to search a certain key.  it could be "uplinkTxSwitchRequest-r16" or some other key words .

I ever tried 

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\"", but didn't work

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 12:27 AM

In what way did this not work?

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""

Although, to be fair, this does rely on the user using a regex compatible match value, so you could try this (to make it easier for the user

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...