topic Re: problem with REX in Splunk Search

problem with REX

abhayneilam — Fri, 26 Oct 2012 19:18:34 GMT

I am giving the following search :

index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi") | eval ONE=lower(ONE) |stats count(ONE) by ONE

and it is giving me :

delhi 5 ( because delhi is coming five times )

but when I am running with multiple keywords :

it is giving me some diffent count for delhi

delhi 4
kol 2

I am not getting the correct count when i am using it for more than one keyword. please help otherwise I have to write "rex" 20 times for 20 keywords

Please help

Thanks in advance

Re: problem with REX

MuS — Fri, 26 Oct 2012 19:47:45 GMT

hi abhayneilam

take your _raw data, paste them into http://gskinner.com/RegExr/ and test your regex until it matches. gskinner's RegExr is just perfect to test regex for splunk.

cheers,

MuS

Re: problem with REX

abhayneilam — Fri, 26 Oct 2012 20:26:45 GMT

But my question was something different, I am asking for the correct count as shown above..please help me out with this problem...

Please help me ..

Thanks in Advance !!

Re: problem with REX

MuS — Fri, 26 Oct 2012 20:33:56 GMT

exactly, that's why you have to use your raw data and test your regex. I cannot do magic and provide any solution without the raw data.

Re: problem with REX

abhayneilam — Mon, 28 Sep 2020 12:42:14 GMT

abhay|26|koldelhigmumbaiis_delhiood_di
murari|30|ranigang
abc|32|mumbai is delhi place
murari|30|ranigang_kolbabbu is kol
murari|30|delHI is not in kolkata
mno|100|delhi
murari|30|ranig
xyz|100|delhi

this is my raw data.. delhi is coming 5 times but in the search it is coming 4 times , and kol is coming 3 times but in the search it is coming 2 times ..

Now , I thing you can provide some solutions on that

Re: problem with REX

MuS — Fri, 26 Oct 2012 20:42:40 GMT

delhi is matching 6 times 😉

Re: problem with REX

MuS — Fri, 26 Oct 2012 20:47:13 GMT

no honestly as I've written use gskinner RegExr it helps a lot. Probably you have some miss understanding of your raw data and the regex because kol is 4 times in the raw data and not only 3 times.

Re: problem with REX

abhayneilam — Fri, 26 Oct 2012 20:48:28 GMT

One per line, so it counts 5 :). please help me to solve this one

Re: problem with REX

abhayneilam — Fri, 26 Oct 2012 20:54:33 GMT

One pattern per line, kol is 3 times and delhi is 5 times..

Now please help

Re: problem with REX

MuS — Fri, 26 Oct 2012 21:10:21 GMT

with your regex this will not work, neither with mine. for example the first line matches both kol and delhi. Then you have delHi, that does not match delhi - it would match delHi. this will be very tricky to match your expatiation, data and regex.

give me some time.....

Re: problem with REX

MuS — Mon, 29 Oct 2012 07:22:59 GMT

the problem is, that in the data multiple city occur at the same line. you want to match only ONE city per line, either delhi, kol or mumbai.
I cannot create any regex matching this pattern on gskinner....sorry but on the other hand I'm no regex expert after all 🙂