Splunk Search

How to use the field in search query EXTRACTED using REX command

rangineniarunku
Explorer

I have a field named "content" with multiple values to it as follows
content=value.deva
content=value.devb
" =value.devc ......
I have written a rex expression in my search query .........| rex field=Name ".(?.*)" to extract the Environment from the field content . Now I want to get the values in my result only for Environment=deva, how can I use the field Environment in my query?
I tried this way but it did not work ".........| rex field=content ".(?.)" | Environment=deva "

Can someone help me with this?

Tags (2)
0 Karma
1 Solution

DalJeanis
Legend

You are looking for the | where command.

| where Environment="myvalue" 

View solution in original post

DalJeanis
Legend

You are looking for the | where command.

| where Environment="myvalue" 

rangineniarunku
Explorer

It worked!!!

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...