Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to apply a regex filter to my pivot?

szabados
Communicator
‎06-26-2015 02:09 AM

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Pivot#Filter_element

According to this, there is a regex comparator usable with Filter.
I can't find any example, how should I use it.

What I've tried:

| pivot [...] Filter fieldname regex ".*"

But I get the following error:

Error in 'PivotProcessor': Error in 'PivotUtil': Cannot filter using 'regex' on field type 'string'

How can I apply a regex-filter to my pivot?

Tags (3)
0 Karma
Reply

acharlieh
Influencer
‎06-26-2015 09:17 AM

I would log a support request for this as it seems to be a bug. Playing with a data model on 6.2.3, the regex filter of pivot seems to return a similar error no matter what the type of the field is. I wonder if the code implementing the data type check is a little off. On a 6.0.6 install, the regex filter of Pivot doesn't return an error, but it doesn't seem to do anything either.

I don't see a UI equivalent to a regex filter in the UI currently, but also there's a label on the documentation that the page is currently a work in progress so perhaps this is a feature under development?

Reply

woodcock
Esteemed Legend
‎06-26-2015 06:18 AM

It is probably just like the regex command in the SPL so try it like this:

| pivot [...] Filter regex fieldname=".*"

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/regex

0 Karma
Reply

acharlieh
Influencer
‎06-26-2015 09:18 AM

If you attempted this in a Splunk instance before posting, you would know that this syntax would get you: "Error in 'PivotProcessor': Could not parse pivot search. Search appears to be malformed." in 6.2.3 and "Error in 'PivotProcessor': In handler 'datamodelreport': Unexpected error "" from python handler: "Pivot Error in validateField: Field name regex was not found in object App_Request". See splunkd.log for more details" in 6.0.6

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...