https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111002#M29054 <P>When running the regex below, the search doesn't return any results even though the reg ex string works well on the external regex builder I use. Help.</P> <P>Here's the original string: <CODE>\.(.{2,4}\s+?)</CODE></P> <P>Here's the spunk search: <CODE>index=*|fields file | rex field=file "(?\.(.{2,4}\s+?))" | stats count(Asset) AS "Total" by Asset | sort -Total</CODE></P> Tue, 11 Nov 2014 22:50:21 GMT ashnet16 2014-11-11T22:50:21Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111002#M29054 <P>When running the regex below, the search doesn't return any results even though the reg ex string works well on the external regex builder I use. Help.</P> <P>Here's the original string: <CODE>\.(.{2,4}\s+?)</CODE></P> <P>Here's the spunk search: <CODE>index=*|fields file | rex field=file "(?\.(.{2,4}\s+?))" | stats count(Asset) AS "Total" by Asset | sort -Total</CODE></P> Tue, 11 Nov 2014 22:50:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111002#M29054 ashnet16 2014-11-11T22:50:21Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111003#M29055 <P>Could you provide some of your RAW data? The content of field "file" should be enough.</P> Tue, 11 Nov 2014 22:52:57 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111003#M29055 musskopf 2014-11-11T22:52:57Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111004#M29056 <P>The first error is here:</P> <P><STRONG>(?</STRONG>.(.{2,4}s+?)<STRONG>)</STRONG></P> <P>you have <CODE>(?</CODE> and <CODE>)</CODE> at the start and end... that doesn't look right.</P> <P>Also, to use the <CODE>rex</CODE> command, you need to use Named Capturing group in the regex, like: </P> <PRE><CODE>.(?P&lt;test&gt;.+) </CODE></PRE> <P>Where <STRONG>test</STRONG> will be the name of the field extracted.</P> Tue, 11 Nov 2014 22:56:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111004#M29056 musskopf 2014-11-11T22:56:48Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111005#M29057 <P>Here is some raw data:</P> <P>vcard.png<BR /> phone.png<BR /><BR /> style.css<BR /><BR /> jquery.colorbox-min.js</P> <P>Thanks!!</P> Tue, 11 Nov 2014 22:58:12 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111005#M29057 ashnet16 2014-11-11T22:58:12Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111006#M29058 <P>Ok, and is that a single line? or multiple entries? Also, what are you trying to extract?</P> Tue, 11 Nov 2014 23:00:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111006#M29058 musskopf 2014-11-11T23:00:03Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111007#M29059 <P>This is the Splunk search Format for rex: (?...) (.....)equals the regular expression. </P> Tue, 11 Nov 2014 23:01:28 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111007#M29059 ashnet16 2014-11-11T23:01:28Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111008#M29060 <P>Hi,</P> <P>please provide real data, <BR /> describe what you are trying to achieve, <BR /> use the <CODE>code</CODE> markup where appropriate, since this help with formatting and special characters</P> <P>If you got a good answer, vote up a/o mark as answered.</P> <P>/K</P> Wed, 12 Nov 2014 07:49:45 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111008#M29060 kristian_kolb 2014-11-12T07:49:45Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111009#M29061 <P>Hi ashnet16,</P> <P>As Kristian says, we need some real data and also exactly what you try to extract from that data.<BR /><BR /> With that said, your original rex <CODE>| rex field=file "(?\.(.{2,4}\s+?))"</CODE> does not look right. </P> <P>If you want to convert your original regular expression <CODE>\.(.{2,4}\s+?)</CODE> to rex, I would expect it to look something like this: </P> <P>| rex field=file ".(?&lt;fieldname&gt;.{2,4}\s+?)"</P> <P>Cheers!</P> <P>#Sven Emil</P> Wed, 12 Nov 2014 08:08:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-regex-returning-anything/m-p/111009#M29061 sves 2014-11-12T08:08:02Z