Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Rex in splunk support variable in regular expression?

Tao_Zeng
Explorer
‎08-08-2022 11:42 PM

Does Rex in splunk support variable in regular expression ? For example,   user could input a text from UI, usually I need  a variable like $kw$  to get the input from user,  and  use $kw$  in rex command  , Can splunk support this way ? and how ?  Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

View solution in original post

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 01:34 AM

I tried again, rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""   --- This acturally works.

and 

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""

is good reminding. 

Thanks  ITWhisperer.

One  more question is , $  is a special  symbol  on regular expression , how does Splunk identify it as a prefix  of a variable  or  a regular expression symbol ?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 01:54 AM

Yes, $ is a special symbol in rex, however, in this instance, you are specifying a token in a dashboard, and this is substituted into the search string before it is passed to the rex command.

Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-09-2022 07:04 PM

This make sense, thanks for detailed explanation .

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Tao_Zeng
Explorer
‎08-08-2022 11:47 PM

Example, My raw  text could be 

"ue-CapabilityEnquiryExt": {"capabilityRequestFilterCommon": {"uplinkTxSwitchRequest-r16": "true"},   how can I embedded $kw$ in Rex expression , $kw$  is the text value input by user to search a certain key.  it could be "uplinkTxSwitchRequest-r16" or some other key words .

I ever tried 

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\"", but didn't work

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2022 12:27 AM

In what way did this not work?

rex field=_raw "\"$kw$\": \"(?<KeyValue>.*)\""

Although, to be fair, this does rely on the user using a regex compatible match value, so you could try this (to make it easier for the user

rex field=_raw "\"$kw$[^\"]*\": \"(?<KeyValue>.*)\""
0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top