Hi There!
Splunk newbie here! I'm using Splunk 6.4.1.
Issue: I have a dashboard with a text field. I want to use certain components of the text field value in creating a dashboard panel.
For example:
Input (say the text field token is "text"): cookies-5.2-6.22.yum1_3.5.coconut.
I want to use 5.2 and 6.22.yum1_3.5 in my query that creates a dashboard panel.
I know rex is normally used for extracting values from raw data or the source or something related to the events returned in a search, but I feel like there must be a way to do it on the textfield value. I've looked into the split function...but I don't have a good delimiter and I might want to further break down the 6.22.yum1_3.5 field in the future.
I haven't had any success with the rex command. Here's what I've tried:
| eval str="$text$" | rex field=str "regex...."
| rex field="$text$" "regex..."
I get the same error back for both: Error in 'rex' command: The regex does not extract anything. It should specify at least one named group.
I don't think the issue is with the regex, but here it is in case it is helpful at all: `cookies\-(?\d+\.\d+)\-(?[0-9a-z\._]+[0-9])`
Thanks so much!
↧