topic Re: Unable to extract value and receiving error message in Splunk Search

Unable to extract value and receiving error message

shwetamis — Thu, 21 Nov 2019 17:24:01 GMT

What am I doing wrong here??

index=du sourcetype="du:sbaservice-log"  du_service="dugovt4.0"  "ERROR=" | rex field=_raw "INFO\=\>CaseFileID\s+(?.*)" | rex field=_raw "INFO\=>Envelope\\InstID\s\=\s(?instID>\d+)"| rex field=_raw "lenderCaseNo\s\[(?\d+)\]" | rex field=_raw "Originating\sID\:\s+(?\S+)" | rex field=_raw "SBA\sCommand\:\s+(?\S+)" | rex field=_raw "Host\:\s+(?\S+)" | rex field=_raw " Base\sGUID\:\s+(?\S+)" | eval BTime = strptime(Begin_time, "%H:%M:%S.%3N")  | eval CTime = strptime(Completion_time, "%H:%M:%S.%3N")  | eval ResTime=CTime-BTime

Also, I am not getting the value of CASEFILEID data.

I get an error:

-Error in 'rex' command: Encountered the following error while compiling the regex 'INFO\=>Envelope\InstID\s\=\s(?instID>\d+)': Regex: unrecognized character follows \.

DATA:
11/21/2019 12:22:01.817 INFO=>Executing workflow...
11/21/2019 12:22:01.817 INFO=>CaseFileID 1427667459
11/21/2019 12:22:01.817 INFO=>Creating task 1003ToCLDF
11/21/2019 12:22:01.818 INFO=>Envelope InstID = 12006

Re: Unable to extract value and receiving error message

wenthold — Thu, 21 Nov 2019 18:04:33 GMT

Update: Fixed a typo

It's hard to tell since your example isn't in a code block, but try this:

| rex field=_raw "INFO=>CaseFileID\s*(?<CaseFileID>\d+)"
| rex field=_raw "INFO=>Envelope InstID\s*=\s*(?<instID>\d+)"

You don't have to escape all the characters, and I think the rex issue is that you have a "\" instead of maybe "\s" and in your field capture you didn't have the opening character "<" - (?instID>\d+) should be (?<instID>\d+)

Re: Unable to extract value and receiving error message

shwetamis — Thu, 21 Nov 2019 18:09:31 GMT

That worked 🙂 thank you so much

Re: Unable to extract value and receiving error message

wenthold — Thu, 21 Nov 2019 18:10:08 GMT

you're welcome, glad it helped!