topic Re: Getting error Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?& in Splunk Search

Why the error Error in 'rex' command while compiling the regex '\/home\/mysqld\/(?<D?

shruti14 — Mon, 09 Jan 2023 16:21:55 GMT

index=mysql sourcetype=audit_log earliest=1
| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"
| eval Database = coalesce(Database1,Database2)
| fields - Database1,Database2
| rex field=USER "(?<USER>[^\[]+)"
| rex mode=sed field=HOST "s/\.[a-z].*$//g"
| eval TIMESTAMP=strptime(TIMESTAMP, "%Y-%m-%dT%H:%M:%S UTC")
| where TIMESTAMP > now()-3600*24*90
| eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d")
| eval COMMAND_CLASS=if(isnull(COMMAND_CLASS) OR COMMAND_CLASS="", "NA", COMMAND_CLASS)
| eval HOST=if(isnull(HOST) OR HOST="", "NA", HOST)
| eval IP=if(isnull(IP) OR IP="", "NA", IP)
| eval Action=if(isnull(NAME) OR NAME="", "NA", NAME)
| eval STATUS=if(isnull(STATUS) OR STATUS="", "NA", STATUS)
| eval Query=if(isnull(SQLTEXT) OR SQLTEXT="", "NA", SQLTEXT)
| eval USER=if(isnull(USER) OR USER="", "NA", USER)
| stats count as Events by Database USER HOST IP COMMAND_CLASS Action STATUS Query TIMESTAMP
| lookup mysql_databases.csv DATABASE as Database OUTPUT APP_NAME
| eval APP_NAME=if(isnull(APP_NAME) OR APP_NAME="", "NA", APP_NAME)

and hence getting no output in search and reporting tab

Re: Getting error Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&

shruti14 — Sat, 07 Jan 2023 14:15:18 GMT

Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?<Database1>.*)\/audit\/': Regex: syntax error in subpattern name (missing terminator).

Re: Getting error Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&

yuanliu — Sat, 07 Jan 2023 18:23:17 GMT

Are you sure they are not supposed to be this?

| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/" | rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"

You use HTML entities in dashboard source (if dashboard is SimpleXML), but not in search line.

Re: Getting error Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&

shruti14 — Sat, 07 Jan 2023 18:52:58 GMT

Dashboard is simple xml but there also | rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/" not giving me result.

Re: Getting error Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&

yuanliu — Sat, 07 Jan 2023 21:49:15 GMT

The question is in which interface do you see "(?<Database1>.*)". If you see them in the source editor, they should not cause any problem at all. If you see them in panel editor, or worse, if you enter them into the search bar, they are plain wrong.

In case you are unfamiliar with Splunk's editor interfaces, whether you are using source editor or panel editor is determined by how you start the editing. Here are some screenshots to show their differences.

This is the source editor

This is the panel search editor

(Of course you know how the search bar look like.)

This is another interface that allows you to select which editor to use from the dashboard list.

Hope this helps.

Re: Getting error Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&

shruti14 — Sun, 08 Jan 2023 08:55:34 GMT

I am using source editor

Re: Getting error Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&

yuanliu — Sun, 08 Jan 2023 09:36:49 GMT

If you did copy from source editor, the search view (in panel editor) of the two lines should be as I printed above, i.e.,

| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"

These two lines are correct and do not cause the error in your question. Can you show us the actual search code in search view (under panel editor)?

Or are you trying to copy from source editor into a search window? Generally that will cause error if there are any characters that needs to be presented as HTML entities in Simple XML, such as less-than sign (<) and greater-than sign (>) as is used in rex commands. Simply put, do not copy code from source editor into search window. If you need to copy something into search window, you must use the panel editor. (Or, outside of editor, use "Open in search" link (magnifying glass).)