topic Re: rex invalid argument in Splunk Dev

rex invalid argument

stwong — Wed, 31 May 2017 03:26:28 GMT

Hi,

We're using 6.5.3. Got error "Error in 'rex' command: Invalid argument: ' ' " for query like following:

index=security source="/data/*/vpn" IP=192.168.206.176 OR outerIP=192.168.206.176
            | rex field=_raw "IP=(?<VPN_IP>[^\s]*).*DN:.*outerIP=(?<clientIP>[^\s]*)"

I tried to replace with a simpler expression like "^(?<EveryThing>.*)$" but also get the same error.

Would anyone please help? Sorry for the newbie question.

Thanks and regards

Re: rex invalid argument

DalJeanis — Wed, 31 May 2017 04:12:47 GMT

Interesting. It is not you, it is something quite strange. The rex works just fine for me on some mocked up data. It is possible that there is some invisible/nonprintable control character in your search causing the problem. First, copy the entire search to notepad, verify that it is plain text, then ctrl-a ctrl-v to paste it back into splunk and submit the search again. If you get the same error, then proceed with these triage steps...

Okay, here's some triage steps. First, do this and check to see that there is a _raw field in the output...

 index=security source="/data/*/vpn" IP=192.168.206.176 OR outerIP=192.168.206.176 | head 1

Next, add just this line after the above. Copy and paste it from here...

| rex "IP=(?<VPN_IP>[^\s]*)"

If that causes an error, then please post the exact wording of the error, and a non-confidential version of the _raw. If there is no error, then add this line and run again...

| rex "outerIP=(?<clientIP>[^\s]*)

If there is no error yet, then let us know and we can try to determine what was wrong with the rex. If the error does crop up, then when it appears, we will have more information.

Re: rex invalid argument

stwong — Thu, 01 Jun 2017 03:12:51 GMT

Hello,

Thanks a lot.

Right, probably some invisible characters embedded as I copied the query from an app installed.
It works if I typed it from scratch.

Thanks again.
Best Regards