MAP with REGEX not working

berserkersyco — Fri, 11 Dec 2020 21:54:32 GMT

hi,

i wanted to fetch some information from my logs. here is the scenario:

index=xyz host=xxx.com source="/as/df/gh/*.log" "[error]"
| rex field=_raw "LoadPlanName:\s(?P<LP_Name>[^\]]*)"
| table LP_Name
| dedup LP_Name

above query gives me the result as below

LP_Name
LP_abc
LP_abc1
LP_abc2

now from the same source i want to fetch other details for the LP_Name extracted above i.e LP_abc, LP_abc1, LP_abc2, for that i tried to create below query which is not working:

index=xyz host=xxx.com source="/dir1/dir2/*.log" "[error]"
| rex field=_raw "LoadPlanName:\s(?P<LP_Name>[^\]]*)"
| table LP_Name
| dedup LP_Name
| map search = "search index=xyz host=xxx.com source="/dir1/dir2/*.log" "[completed]"
| rex field=_raw "LoadPlanName:\s(?P<LPN>[^\]]*)"
LPN=$LP_Name"

For above query i have been getting below error:

Error in 'SearchParser': Missing a search command before '^'. Error at position '417' of search query 'search index=oitp host=ITCNCHN-LX4* source="/opt/o...{snipped} {errorcontext = s(?P<LPN>[^\]]*)" L}'.

i have been struggling with it from a long time now, need help to get the the data that i desired. Thanks in advance.

Re: MAP with REGEX not working

richgalloway — Fri, 11 Dec 2020 22:19:22 GMT

I think Splunk is complaining about the embedded quotation marks in the map command. Try escaping them.

topic Re: MAP with REGEX not working in Splunk Search

MAP with REGEX not working

Re: MAP with REGEX not working