Splunk Search
Highlighted

Using regex function with pattern stored in a variable

Engager

I have dashboard panel with a dropdown menu on it. When the user selects a category from the dropdown, it will be stored in the variable $category$.

Based on the category selected by the user, I want to apply a regular expression to the "name" field in my search.

For example, if the user selects the category "category1", then I want to apply the regular expression "^(my|reg|ex)" to the "name" field in my search.

Here's what I tried:

sourcetype = mysourcetype | eval catregex = case(match($app_category$,"category1"),"^(my|reg|ex)" | regex name = catregex

This is not working. I'm thinking that the problem is with the command regex name = catregex

Maybe the field/variable that I created, catregex, is being interpreted as a string in that context? If so, how can I make sure it's interpreted as a variable?

I also tried something like this with regex command, but it seems this is not possible:

regex name = case(match($app_category$,"category1"),"^(my|reg|ex)"

Any help would be greatly appreciated!

Thanks, fellow Splunkers!

Tags (3)
0 Karma
Highlighted

Re: Using regex function with pattern stored in a variable

Ultra Champion

can you try to cast the variable in a field with an eval first ?

sourcetype = mysourcetype | eval mycategory=$app_category$ | eval catregex = case(match(mycategory,"category1"),"^(my|reg|ex)" | regex name = catregex

0 Karma
Highlighted

Re: Using regex function with pattern stored in a variable

Engager

I eventually figured this one out. The fix is to put $app_category$ in double quotes:

eval mycategory="$app_category$"

View solution in original post

0 Karma