Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to apply a regex filter to my pivot?

szabados
Communicator
‎06-26-2015 02:09 AM

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Pivot#Filter_element

According to this, there is a regex comparator usable with Filter.
I can't find any example, how should I use it.

What I've tried:

| pivot [...] Filter fieldname regex ".*"

But I get the following error:

Error in 'PivotProcessor': Error in 'PivotUtil': Cannot filter using 'regex' on field type 'string'

How can I apply a regex-filter to my pivot?

Tags (3)
0 Karma
Reply

acharlieh
Influencer
‎06-26-2015 09:17 AM

I would log a support request for this as it seems to be a bug. Playing with a data model on 6.2.3, the regex filter of pivot seems to return a similar error no matter what the type of the field is. I wonder if the code implementing the data type check is a little off. On a 6.0.6 install, the regex filter of Pivot doesn't return an error, but it doesn't seem to do anything either.

I don't see a UI equivalent to a regex filter in the UI currently, but also there's a label on the documentation that the page is currently a work in progress so perhaps this is a feature under development?

Reply

woodcock
Esteemed Legend
‎06-26-2015 06:18 AM

It is probably just like the regex command in the SPL so try it like this:

| pivot [...] Filter regex fieldname=".*"

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/regex

0 Karma
Reply

acharlieh
Influencer
‎06-26-2015 09:18 AM

If you attempted this in a Splunk instance before posting, you would know that this syntax would get you: "Error in 'PivotProcessor': Could not parse pivot search. Search appears to be malformed." in 6.2.3 and "Error in 'PivotProcessor': In handler 'datamodelreport': Unexpected error "" from python handler: "Pivot Error in validateField: Field name regex was not found in object App_Request". See splunkd.log for more details" in 6.0.6

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...