Did you manage to get this to work at all?

I'm playing around with something similar and I can almost get regex to work with something like this

<input type="text" token="hrtearliest">
    <label>Human Readable Time Start</label>
    <change>
        <eval token="test">if(match($value$, &quot;(.+)&quot;), &quot;match&quot;, &quot;not match&quot;</eval>
    </change>
</input>

But if I try to expand the regex in the match it stops setting the test token at all. For example - with the text box set to 2016.

<input type="text" token="hrtearliest">
    <label>Human Readable Time Start</label>
    <change>
        <eval token="test">if(match($value$, &quot;(\d+)&quot;), &quot;match&quot;, &quot;not match&quot;</eval>
    </change>
</input>

it seems from my testing that the regex doesn't work with meta characters (\d, \w etc) but does work with control characters ({3}, + * etc). I also tried using the escape string for the \ on the meta characters but that didn't help.

I found out that the Javascript version of the match() eval function apparently doesn't like something as simple as \d+. However, if I changed it to [0-9]+ then it worked.

I'm not sure if the back-slash needs escaped, or if \d specifically isn't supported or what. But I was just trying to match any integer, so didn't take it any further.

The docs do mention that the regular expression dialect is different. JavaScript vs PCRE, but not that familiar with the differences there either.

Good luck!

haha, just saw this also noted in a comment above. Whoops. Oh well, missed it the first time I read through it; maybe this will still be helpful to someone.

@peter_holmes_anaplan: you're responding to a year-old thread. For better chances at getting an answer, I suggest you post a new question.

@ richgalloway ♦: Thanks Rich, I actually worked out how to do this after posting the comment (you need to just avoid meta characters and use [0-9] for \d etc. I'm going to post this as a comment on the token usage documentation as it would have saved me a few hours :-).

I strongly suggest that you use the XML CDATA construct to simplify these problems.
Surrounding text with <![CDATA[and ]]> means that you don't have to worry about XML munging your special characters. You don't need to use " and friends. (You do still need to worry about how Splunk interprets the special characters...)

If you indent each line of your XML 4 spaces, the editor will preserve special characters. I made the change for you.

Thanks for the edit!

Hi @mydog8it (just got the cleverness of your username after typing it out ;P)

Just so you know, you're welcome to post the URL to docs you're referring to, even without enough karma. They won't render as links, but at least people can see exactly what page(s) you're referring to or copy and paste it themselves.

Cheers!
Patrick

Thanks Patrick!
Here is the path to Evaluation Functions documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/CommonEvalFunctions
do a find for "match(SUBJECT, "REGEX")"

Here is the path to the v6.3 Simple XML reference docs:
http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML
do a find for "match"

Have you tried escaping the quotes inside your match command?

I'm using the ascii text for quotes in my xml. The posting process interpreted them and is displaying the quotes. I introduced spaces in to the ascii text and they do not get interpreted ... match="match(value, & quot ;d{1,3}.d{1,3}.d{1,3}.d{1,3}& quot ;)">

I'm suggesting you should try match(value, \"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\").

The dashboard tool will not save with that syntax.
"Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 15: Extra content at the end of the document "