https://community.splunk.com/t5/Splunk-Search/Getting-error-in-rex-command-while-running-search-for-DB-health/m-p/517424#M145497 <P>Hello Splunkers,</P> <P>I'm working on creating a DB health check report. Idea is to get the&nbsp; error info when there is&nbsp; a failed db connection.&nbsp; When I'm trying to run the search below in Splunk QA I'm getting an error as&nbsp;<SPAN>Error in 'rex' command: Encountered the following error while compiling the regex '^(?&amp;lt;error&amp;gt;.*)\n?': Regex: syntax error in subpattern name (missing terminator). </SPAN></P> <P>Could you please help me resolve this issue? Thanks in advance.&nbsp;</P> <LI-CODE lang="markup">index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*" | eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S") | join type=left connection [search index="_internal" sourcetype=dbx_server ERROR | rex field=_raw "^(?&amp;lt;error&amp;gt;.*)\n?" | rex field=error "/api/connections/(?&amp;lt;connection&amp;gt;[^/]+)"] | stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name | sort - status</LI-CODE> Wed, 02 Sep 2020 18:04:47 GMT firefox95 2020-09-02T18:04:47Z https://community.splunk.com/t5/Splunk-Search/Getting-error-in-rex-command-while-running-search-for-DB-health/m-p/517424#M145497 <P>Hello Splunkers,</P> <P>I'm working on creating a DB health check report. Idea is to get the&nbsp; error info when there is&nbsp; a failed db connection.&nbsp; When I'm trying to run the search below in Splunk QA I'm getting an error as&nbsp;<SPAN>Error in 'rex' command: Encountered the following error while compiling the regex '^(?&amp;lt;error&amp;gt;.*)\n?': Regex: syntax error in subpattern name (missing terminator). </SPAN></P> <P>Could you please help me resolve this issue? Thanks in advance.&nbsp;</P> <LI-CODE lang="markup">index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*" | eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S") | join type=left connection [search index="_internal" sourcetype=dbx_server ERROR | rex field=_raw "^(?&amp;lt;error&amp;gt;.*)\n?" | rex field=error "/api/connections/(?&amp;lt;connection&amp;gt;[^/]+)"] | stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name | sort - status</LI-CODE> Wed, 02 Sep 2020 18:04:47 GMT https://community.splunk.com/t5/Splunk-Search/Getting-error-in-rex-command-while-running-search-for-DB-health/m-p/517424#M145497 firefox95 2020-09-02T18:04:47Z https://community.splunk.com/t5/Splunk-Search/Getting-error-in-rex-command-while-running-search-for-DB-health/m-p/517425#M145498 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224393">@firefox95</a>,</P><P>the first regex isn't so clear for me,&nbsp;because it seems that you take with the first regex all the _raw and with the second a part of it, so why you extracted twice?</P><P>could you share an example of your logs?</P><P>Then when you insert codes please use the "Insert/Edit Code Sample" button (the one with "&lt;/&gt;").</P><P>At least why do you use Join between in a search on the same index? remember that there's the limit of 50,000 results in subsearches, maybe it's possible to run a simpler search.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 02 Sep 2020 08:23:07 GMT https://community.splunk.com/t5/Splunk-Search/Getting-error-in-rex-command-while-running-search-for-DB-health/m-p/517425#M145498 gcusello 2020-09-02T08:23:07Z https://community.splunk.com/t5/Splunk-Search/Getting-error-in-rex-command-while-running-search-for-DB-health/m-p/517428#M145500 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224393">@firefox95</a>&nbsp;, if you are using this search for a report , please use below&nbsp;</P><P>index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*"<BR />| eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S")<BR />| join type=left connection [search index="_internal" sourcetype=dbx_server ERROR<BR />| rex field=_raw "^(?&lt;error&gt;.*)\n?"<BR />| rex field=error "/api/connections/(?&lt;connection&gt;[^/]+)"]<BR />| stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name<BR />| sort - status</P> Wed, 02 Sep 2020 08:26:11 GMT https://community.splunk.com/t5/Splunk-Search/Getting-error-in-rex-command-while-running-search-for-DB-health/m-p/517428#M145500 Nisha18789 2020-09-02T08:26:11Z