topic Re: Why am I receiving an error in 'rex' command? in Splunk Search

Why am I receiving an error in 'rex' command?

khairilfirza — Thu, 12 Jul 2018 07:46:58 GMT

Hi team, I want to ask:
I cannot do extract new field and its show this error.

Error in 'rex' command: The regex 'Telco' does not extract anything. It should specify at least one named group. Format: (?...).

Before this my Telco was display on the selected field, but somehow it missing, and after that I cannot extract a new field.

Can you help me? Please

Re: Why am I receiving an error in 'rex' command?

493669 — Thu, 12 Jul 2018 08:34:06 GMT

can you provide your regex query using 101010 button so that no special character get escape

Re: Why am I receiving an error in 'rex' command?

khairilfirza — Thu, 12 Jul 2018 09:00:06 GMT

can i know where should i put 101010?

Re: Why am I receiving an error in 'rex' command?

493669 — Thu, 12 Jul 2018 09:06:41 GMT

once you type your query select the query first and click 1010110 (above) button - like below
rex "(?.*)"

Re: Why am I receiving an error in 'rex' command?

jplumsdaine22 — Thu, 12 Jul 2018 09:07:22 GMT

I'm assuming your search looks like this:

 ... | rex "telco"

Like the error message says, you must put in a named capturing group so that Splunk knows what name to give your new field. For example, if you want to call that field "myField", your regex would look like this:

...| rex "(?<myField>telco)"

Re: Why am I receiving an error in 'rex' command?

khairilfirza — Thu, 12 Jul 2018 09:18:54 GMT

![* source="/var/log/va-router/vpn/vpn.log" | rex "(?<Telco>telco)"][1]

I'm sorry, I dont know how to do this one, before this my telco is display on the selected field and interesting field.

Now I dont how to find the telco.

Re: Why am I receiving an error in 'rex' command?

khairilfirza — Thu, 12 Jul 2018 09:18:59 GMT

Re: Why am I receiving an error in 'rex' command?

jplumsdaine22 — Thu, 12 Jul 2018 09:32:06 GMT

So the regex I have there will create a field called Telco with the value 'telco', if the event contains the string telco. This is unlikely to be what you want. Can you perhaps describe your search in more general terms?

Re: Why am I receiving an error in 'rex' command?

khairilfirza — Thu, 12 Jul 2018 09:52:47 GMT

source="/var/log/va-router/vpn/vpn.log"

This is the search i used for visualize data. In this search usually I got my telco in the field.
So the in telco its provide information like Maxis , Digi, and Celcom.
So when click on the telco it will display this field. But some how the telco is missing in this field from this search (* source="/var/log/va-router/vpn/vpn.log").

And because that "telco" field is missing I face the problem to extract the new field and show rex error.

Hope you understand

Re: Why am I receiving an error in 'rex' command?

jplumsdaine22 — Thu, 12 Jul 2018 10:06:14 GMT

OK - I don't see any of those terms in your data, so I'm not sure if they are a field extraction or a lookup. It may be that someone made a lookup for the data and it has broken somehow. Have you contacted your Splunk admin?

Re: Why am I receiving an error in 'rex' command?

j_cabanillas — Fri, 20 Jul 2018 17:51:53 GMT

try * source="/var/log/va-router/vpn/vpn.log" | rex field=_raw "(?telco)"

Re: Why am I receiving an error in 'rex' command?

khairilfirza — Mon, 23 Jul 2018 02:17:19 GMT

it display this error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?telco)': Regex: unrecognized character after (? or (?-

Re: Why am I receiving an error in 'rex' command?

j_cabanillas — Mon, 23 Jul 2018 14:24:42 GMT

could you add a log example where the Telco words is in ?

Re: Why am I receiving an error in 'rex' command?

j_cabanillas — Mon, 23 Jul 2018 15:10:39 GMT

So the in telco its provide information like Maxis , Digi, and Celcom. So when click on the telco it will display this field. But some how the telco is missing in this field from this search (* source="/var/log/va-router/vpn/vpn.log").

SO Maxis, Digi, Celcom are telecomunication service providers right? As jplumsdaine22 says , that data is not showing on your logs ,at least not in the one you showed us on the picture.

If that data is not part of the logs it means there must be a lookup for that data that someone created to associated part of the log to each provider.

For example:
The lookup could associate using VPN-SA01XXXX to Digi and VPN-CB01XXXXX to Celcom.
It could also be associated to external IPs, but I don't see external IPs in your logs

Re: Why am I receiving an error in 'rex' command?

premraj_vs — Fri, 25 Jan 2019 03:29:47 GMT

I had the same issue and after trying many complex solutions, the simple solution that worked for me is removing the space after field in rex command.

| rex field=_raw ".+\[(?P<ActionResponseandType>.+)]\s