topic Re: Receiving an error in 'rex' command in Splunk Search

Why am I am receiving an error in 'rex' command?

Sureshp191 — Thu, 15 Jun 2023 22:52:29 GMT

I am trying to use a similar splunk query:

index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"

| rex "(?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*,"
| stats count BY TradingSymbol(s), Elapsed

I wanted to get them in a table as
Date, PortfolioSymbol(s), ElapsedTime

When I try to run it, I get the error
Error in 'rex' command: The regex '(?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*,' does not extract anything. It should specify at least one named group. Format: (?<name>...).

When I try the same in regexr.com, for the below output, (?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*, able to highlight 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9,

RefreshAsyncjronized End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, ElapsedTime: 12.3762658

Please help, Thanks

Re: Receiving an error in 'rex' command

richgalloway — Wed, 14 Jun 2023 21:04:38 GMT

The error message clearly (IMO) says what the problem is - you don't have a named capture group in the rex command. Fix that. Also, avoid lookbehind - a simple TradingSymbol\(s): is sufficient.

Re: Receiving an error in 'rex' command

Sureshp191 — Wed, 14 Jun 2023 21:36:17 GMT

Thanks for the reply, I tried the below one, I am not getting an error but Statistics output is 0

index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"

| rex field =msg.result.message "TradingSymbol(s): (?<TradingSymbol>[^\"]*) ElapsedTime: (?<ElapsedTime>[^\"]*)"
| stats count BY TradingSymbol ElapsedTime

If I give only the "ElapsedTime: (?<ElapsedTime>[^\"]*)" I am able to see the required output in the Statistics tab but having the two as above, Statistics output is 0

I am new to regex, please help to resolve this:

msg.result.message is

RefreshAsyncjronized End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, ElapsedTime: 12.3762658

on the Statistics page, I want to display.
TradingSymbol ElapsedTime

Re: Receiving an error in 'rex' command

Sureshp191 — Thu, 15 Jun 2023 03:05:48 GMT

@richgalloway

Thanks for the help, I tried
index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"
| rex field=_raw "TradingSymbol\(s\): (?<TradingSymbols>[^,]+), ElapsedTime: (?<ElapsedTime>[^ ]+)"

| table TradingSymbols, Elapsed

Even though I see around 20 plus events but on the Statics tab its zero:

output of msg.result.message on the events tab is:
RefreshAsyncjronized End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, ElapsedTime: 12.3762658

On the Statics tab I wanted to show as below
TradingSymbols ElapsedTime

2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, 12.3762658

Re: Receiving an error in 'rex' command

yeahnah — Thu, 15 Jun 2023 03:17:00 GMT

Hi @Sureshp191

Here's a run anywhere example from the example data provided...

| makeresults | eval raw="RefreshAsyncjronized End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, ElapsedTime: 12.3762658 RefreshAsyncjronized End, TradingSymbol(s): 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, 2AC5, ElapsedTime: 15.3762658" | eval raw=split(raw, " ") | mvexpand raw | rename raw AS _raw ``` the above is just creating dummy events to test the following SPL code with ``` | rex "TradingSymbol\(s\): (?<TradingSymbol>.+?), ElapsedTime: (?<ElapsedTime>[^\s]+)" | stats values(ElapsedTime) AS ElapsedTime BY _time TradingSymbol | rename TradingSymbol AS PortfolioSymbol(s)

Note, using _time instead of Date is useful as the UI formats into a human readable form. If it must be Date then you cannot simply rename _time as Date as the Date will appear as an epoch seconds integer value. You'll need to do reformat time using eval and strftime() functions. Basically, just stick with using _time instead.