topic Re: How to use the field extraction expression directly using a Rex command ? in Splunk Search

How to use the field extraction expression directly using a Rex command ?

Real_captain — Mon, 07 Oct 2024 07:29:51 GMT

Hi Team

Can you please let me know how can i use the below Field extraction formula directly using the rex command ?

Field extraction formula :
^(?:[^,\n]*,){7}\s+"\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)

Re: How to use the field extraction expression directly using a Rex command ?

inventsekar — Mon, 07 Oct 2024 07:47:58 GMT

Hi @Real_captain, could you pls avoid creating duplicate posts
on your yesterday's post, could you pls provide us some more suggestions, details.. then troubleshooting your issue will become easier. thanks.

Re: How to use the field extraction expression directly using a Rex command ?

PickleRick — Mon, 07 Oct 2024 08:10:28 GMT

@inventsekar This one is actually a bit different from those two yesterday's threads I merged into one.

@Real_captainInline extractions must use named capture groups which directly translate to extracted fields (with transform-based extractions you can use numbered capture groups to define fields).

So you can simply do

| rex "your_regex_here"

With just one caveat. Since the argument to rex command is a string you have to properly escape all necessary characters (mostly quotes and backslashes).

Re: How to use the field extraction expression directly using a Rex command ?

Real_captain — Mon, 07 Oct 2024 08:58:57 GMT

@PickleRick

I am getting below error while using the expression with the rex command:

| rex "^(?:[^,\n]*,){7}\s+"\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)"

Error in 'SearchParser': Missing a search command before '^'. Error at position '161' of search query 'search index="events_prod_val_ssip_esa" sourcetype...{snipped} {errorcontext = "(?P<POH>[^"]+)"}'.

Re: How to use the field extraction expression directly using a Rex command ?

inventsekar — Mon, 07 Oct 2024 09:25:45 GMT

Hi @Real_captain , troubleshooting a rex command is often a difficult task.
Particularly when we dont know what is the issue itself.

to understand the error msg (search command required before "^"...), if you could copy paste a sample log line, that would be great (remove sensitive details like hostnames, ip address, etc).

maybe try this step by step troubleshooting..

first this rex command: | rex "(?P<POH>[^"]+)" | table POH then second this rex command: | rex "\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)" | table POH at last, this rex command: | rex "^(?:[^,\n]*,){7}\s+"\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)" | table POH

Re: How to use the field extraction expression directly using a Rex command ?

PickleRick — Mon, 07 Oct 2024 09:28:45 GMT

As I said - you have to escape the sensitive characters within the string argument. Which means that instead of single backslash you have to use two backslashes, instead of just a quote you need an escaped quote (backslash quote).

Re: How to use the field extraction expression directly using a Rex command ?

Real_captain — Mon, 07 Oct 2024 09:36:39 GMT

Hi @inventsekar
Error is faced with the first rex command.

Re: How to use the field extraction expression directly using a Rex command ?

isoutamo — Mon, 07 Oct 2024 11:07:02 GMT

As it has already said you must escape all special characters!

... | rex "(?P<POH>[^\"]+)"

should fix this one. Just do rest with same way.