topic Re: create new field with REST API of splunk in All Apps and Add-ons

create new field with REST API of splunk

snigdha9nov — Thu, 24 Jan 2019 08:13:28 GMT

I am new in splunk... I am trying to create a new field(want to give a name as "gen") from raw events of train.csv (mydataset) by using regular expression of splunk REST api . my same regualar expression is working well in splunk web page but getting parenthesis error .
here is my code
curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/export -d search="search source=train.csv |rex field=_raw '^(?:[^,\n]*,){5}(?P\w+,)'| top gen"

but getting error
FATAL">Error in 'rex' command: Encountered the following error while compiling the regex ''^(?:[^': Regex: missing closing parenthesis

I have checked no parenthesis missing...please help me to get right code

Re: create new field with REST API of splunk

harsmarvania57 — Fri, 25 Jan 2019 09:13:53 GMT

Hi @snigdha9nov,

You can try below command which works fine and it will extract field called extracted_field

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/export -d search="search source=train.csv |rex field=_raw \"^(?:[^,\n]*,){5}(?P<extracted_field>\w+,)\"| top gen"

For example I am running below query in my lab to extract IP address from _internal index and it is working fine.

curl -vk -u admin:mypass https://localhost:8089/services/search/jobs/export -d search="search index=_internal source=*splunkd.log | rex \"from\s(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\"

Re: create new field with REST API of splunk

snigdha9nov — Fri, 25 Jan 2019 09:27:49 GMT

fieldOrder>

thanks a lot ...but I am unable to see the result

gen
count
percent
_tc

Configuration initialization for /Applications/Splunk/etc took 19ms when dispatching a search (search ID: 1548407977.58)
base lispy: [ AND source::train.csv ]

Re: create new field with REST API of splunk

harsmarvania57 — Fri, 25 Jan 2019 09:47:22 GMT

If you look at the document https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTREF/RESTsearch#search.2Fjobs.2Fexport then it is saying that search/jobs/export will stream results as they become available, if you want to search the data and then retrieve result once job will complete then use other rest endpoint

For example:

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs -d search="search source=train.csv |rex field=_raw \"^(?:[^,\n]*,){5}(?P<extracted_field>\w+,)\"| top gen" -d id=mysearch -d earliest_time=-15m@m

And to retrieve results in another request

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/mysearch/results --get -d output_mode=json

Re: create new field with REST API of splunk

snigdha9nov — Fri, 25 Jan 2019 09:56:36 GMT

curl -k -u admin:password https://localhost:8089/services/search/jobs/1548409940.125/results --get -d output_mode=json

why getting this
{"messages":[{"type":"FATAL","text":"Unknown sid."}]}

Re: create new field with REST API of splunk

harsmarvania57 — Fri, 25 Jan 2019 09:59:26 GMT

From where you got this SID 1548409940.125 ? If you do not want to rely on Splunk generated SID then you can supply user friendly SID name (-d id=mysearch) when firing search, see example I have given above and use that SID to retrieve results.

Re: create new field with REST API of splunk

snigdha9nov — Tue, 29 Sep 2020 22:57:34 GMT

{"preview":false,"init_offset":0,"post_process_count":0,"messages":[],"results":

Re: create new field with REST API of splunk

harsmarvania57 — Fri, 25 Jan 2019 10:35:31 GMT

This means that query didn't find any matching events, please wider your time span.

Re: create new field with REST API of splunk

snigdha9nov — Fri, 25 Jan 2019 11:43:48 GMT

DEBUG">Configuration initialization for /Applications/Splunk/etc took 19ms when dispatching a search (search ID: 1548416060.239)
base lispy: [ AND source::train.csv ]

still facing this problem