topic Re: Problem with the simplest rex in Splunk Search

Problem with the simplest rex

rachelneal — Thu, 04 Aug 2011 20:49:57 GMT

I have several error logs that have a similar format:

Cannot set Single Use Prices on Single Room Standard Room (
Cannot set Single Use Prices on Single Room Standard Suite (
Cannot set Single Use Prices on Single Room Executive King Room (

The rex that I am attempting to use only returns a table of blank lines.

"Cannot set Single Use Prices on Single Room " |rex "(?<Error>\w+?)\(" | table Error

I've tried \w \w+ \w+? \. \.+ \.+?

Any suggestions?

Re: Problem with the simplest rex

Lowell — Thu, 04 Aug 2011 21:08:54 GMT

Is there a space between the last word and the "(". If so, your regex isn't going to match. Try:

| rex "(?\w+)\s+("

Re: Problem with the simplest rex

gkanapathy — Fri, 05 Aug 2011 04:04:48 GMT

Also, \w will not match spaces, so all you're going to get is the word "Room" or "Suite".

Re: Problem with the simplest rex

hjwang — Fri, 05 Aug 2011 08:56:47 GMT

try

| rex "(?<Error>[^\r\n\(]+)\("

Re: Problem with the simplest rex

Lowell — Fri, 05 Aug 2011 15:27:15 GMT

That's true. It depends on what you are looking for. rachelneal, if you would provided additional details in your question (use the "edit" link below you question), then a more suitable regex could be suggested. Specifically, note what strings you would like to extract from the samples given.

Re: Problem with the simplest rex

rachelneal — Mon, 12 Sep 2011 18:12:13 GMT

Thanks everyone. I ended up with rex "\"(?.+?(\d+?)).+?\'(?\d+?)\'.+?\'(?\d+?)\'" after getting rex "\"(?.+?(" to work. Woohoo!