https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114374#M30244 <P>I think the problem should be your regular expression. Try this:</P> <PRE><CODE>search="index=jobevent NOT \"Racu name\" | rex field=_raw \"ForsCartNumbers(?&lt;cart_num&gt;w{2}d{3})\" | stats count by cart_num" </CODE></PRE> Tue, 19 May 2015 21:39:19 GMT stephanefotso 2015-05-19T21:39:19Z https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114372#M30242 <P>Hi<BR /> Today I started to work with the Django binding and I am trying to extract a field, but I encountered an error. I am not sure what is wrong. I tried to run the search inline and it worked correctly.</P> <P>{% searchmanager<BR /> id="stats_count_by_cart_num"<BR /> search="index=jobevent NOT "Racu name" | rex "For\sCartNumber\s(?&lt;cart_num&gt;\w{2}\d{3})" | stats count by cart_num"<BR /> earliest_time="-2y@y"<BR /> latest_time="now"<BR /> cache=False<BR /> %}</P> <P>⚠ Error in 'rex' command: The regex '"For\sCartNumber\s(?&lt;cart_num&gt;\w{2}\d{3})"' does not extract anything. It should specify at least one named group. Format: (?...). </P> Mon, 28 Sep 2020 19:59:26 GMT https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114372#M30242 edrivera3 2020-09-28T19:59:26Z https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114373#M30243 <P>UPDATE: ;<BR /> I decided to extract the field in props.conf, but I encountered an error anyway: No results found.</P> <P>search="index=jobevent NOT "Racu name" | stats count by cart_num"</P> Tue, 19 May 2015 20:27:47 GMT https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114373#M30243 edrivera3 2015-05-19T20:27:47Z https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114374#M30244 <P>I think the problem should be your regular expression. Try this:</P> <PRE><CODE>search="index=jobevent NOT \"Racu name\" | rex field=_raw \"ForsCartNumbers(?&lt;cart_num&gt;w{2}d{3})\" | stats count by cart_num" </CODE></PRE> Tue, 19 May 2015 21:39:19 GMT https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114374#M30244 stephanefotso 2015-05-19T21:39:19Z https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114375#M30245 <P>Now, I am extracting the field using props.conf. I verified it in the Splunk App and the field values are correct so there is no problem with the regex. But for some reason there is not result found from the search. I think maybe the problem is related to some permission limitation but I am not sure where to look for them.</P> Tue, 19 May 2015 22:10:47 GMT https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114375#M30245 edrivera3 2015-05-19T22:10:47Z https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114376#M30246 <P>I'm not sure about some permission here. I think you must escape <STRONG>double quotes</STRONG> properly. In some cases, instead of enclose your search wth double quotes you must use simple quotes. Something like this</P> <PRE><CODE> search='index=jobevent NOT \"Racu name\" | rex field=_raw \"ForsCartNumbers(?&amp;lt;cart_num&amp;gt;w{2}d{3})\" | stats count by cart_num' </CODE></PRE> Tue, 19 May 2015 22:31:43 GMT https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114376#M30246 stephanefotso 2015-05-19T22:31:43Z https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114377#M30247 <P>Thank you. You were right. I made the changes and it worked perfectly. </P> Wed, 20 May 2015 14:41:14 GMT https://community.splunk.com/t5/Splunk-Search/searchmanager-Error-extracting-fields/m-p/114377#M30247 edrivera3 2015-05-20T14:41:14Z