https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173438#M49738 <P>hi<BR /> try this search code : </P> <PRE><CODE>...................................|rex field=_raw "count\(domain\)\=(?&lt;count_domain&gt;[^\,]+)"|table count_domain </CODE></PRE> Sun, 11 Dec 2016 15:44:28 GMT chimell 2016-12-11T15:44:28Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173429#M49729 <P>The regular expression is correct according to RegExr, but i keep on getting this error</P> <PRE><CODE>Error in 'rex' command: Encountered the following error while compiling the regex 'count(domain)=(?&lt;count(domain)&gt;.*)': Regex: syntax error in subpattern name (missing terminator) </CODE></PRE> <P>Here is what i have in Splunk Search:</P> <PRE><CODE>rex field=_raw "count(domain)=(?&lt;count(domain)&gt;.*)" </CODE></PRE> <P>Thanks guys</P> Wed, 21 May 2014 07:07:17 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173429#M49729 ilove275 2014-05-21T07:07:17Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173430#M49730 <P>can you provide some sample events please?</P> Wed, 21 May 2014 07:23:17 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173430#M49730 MuS 2014-05-21T07:23:17Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173431#M49731 <P>Hi ilove275,</P> <P>brackets inside the rex field name cause the syntax issue.changing the field name count(domain) to domain_count would help u solving the issue.</P> <PRE><CODE>rex field=_raw "count\(domain\)=(?&lt;domain_count&gt;.*)" </CODE></PRE> <P>Thanks.</P> Wed, 21 May 2014 07:51:32 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173431#M49731 rakesh_498115 2014-05-21T07:51:32Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173432#M49732 <P>sample log</P> <P>05/20/2014 00:00:00 +0900, search_name=AAAAA, search_now=1400606400.000, info_min_time=1400511600.000, info_max_time=1400598000.000, info_search_time=1400606401.123, count(domain)=744788, date_wday=tuesday<BR /> Thanks</P> Mon, 28 Sep 2020 16:40:57 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173432#M49732 ilove275 2020-09-28T16:40:57Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173433#M49733 <P>and don't forget to append a <CODE>"</CODE> at the end of the regex command</P> Wed, 21 May 2014 07:59:22 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173433#M49733 MuS 2014-05-21T07:59:22Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173434#M49734 <P>field name's "count(domain)" not "domain_count"</P> <P>My Splunk Search<BR /> index="AAAA" source="BBBB" | rex field=_raw "count(domain)=(?<COUNT>.<EM>) date_wday=(?<DATE_WDAY>.</DATE_WDAY></EM>)" | table date_wday count(domain)</COUNT></P> <P>error<BR /> Error in 'rex' command: Encountered the following error while compiling the regex 'count(domain)=(?<COUNT>.<EM>) date_wday=(?<DATE_WDAY>.</DATE_WDAY></EM>)': Regex: syntax error in subpattern name (missing terminator)</COUNT></P> <P>Thanks rakesh_498115</P> Mon, 28 Sep 2020 16:41:00 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173434#M49734 ilove275 2020-09-28T16:41:00Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173435#M49735 <P>it doesn't come out the File name "domain_count" when I use "Rename" commamd</P> Wed, 21 May 2014 14:51:33 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173435#M49735 ilove275 2014-05-21T14:51:33Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173436#M49736 <P>Try this (run anywhere)</P> <PRE><CODE> index="AAAA" source="BBBB" | rex field=_raw "count\(domain\)=(?&lt;domain_count&gt;.*)," | rename domain_count as count(domain) </CODE></PRE> Wed, 21 May 2014 20:22:35 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173436#M49736 somesoni2 2014-05-21T20:22:35Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173437#M49737 <P>Thanks for your help<BR /> ^^</P> Thu, 22 May 2014 00:05:00 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173437#M49737 ilove275 2014-05-22T00:05:00Z https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173438#M49738 <P>hi<BR /> try this search code : </P> <PRE><CODE>...................................|rex field=_raw "count\(domain\)\=(?&lt;count_domain&gt;[^\,]+)"|table count_domain </CODE></PRE> Sun, 11 Dec 2016 15:44:28 GMT https://community.splunk.com/t5/Splunk-Search/rex-error-help/m-p/173438#M49738 chimell 2016-12-11T15:44:28Z