Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Rex in splunk support variable in regular expression?

Tao_Zeng
Explorer
‎08-08-2022 11:42 PM

Does Rex in splunk support variable in regular expression ? For example,   user could input a text from UI, usually I need  a variable like $kw$  to get the input from user,  and  use $kw$  in rex command  , Can splunk support this way ? and how ?  Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

View solution in original post

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 01:34 AM

I tried again, rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""   --- This acturally works.

and 

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""

is good reminding. 

Thanks  ITWhisperer.

One  more question is , $  is a special  symbol  on regular expression , how does Splunk identify it as a prefix  of a variable  or  a regular expression symbol ?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 07:04 PM

This make sense, thanks for detailed explanation .

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-08-2022 11:47 PM

Example, My raw  text could be 

"ue-CapabilityEnquiryExt": {"capabilityRequestFilterCommon": {"uplinkTxSwitchRequest-r16": "true"},   how can I embedded $kw$ in Rex expression , $kw$  is the text value input by user to search a certain key.  it could be "uplinkTxSwitchRequest-r16" or some other key words .

I ever tried 

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\"", but didn't work

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 12:27 AM

In what way did this not work?

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""

Although, to be fair, this does rely on the user using a regex compatible match value, so you could try this (to make it easier for the user

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top