https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207886#M60590 <P>I'm assuming your sample data in question is showing data to be extracted from 3 different events. <BR /> You Sample data has variable number of strings (enclosed between numbers). Is that correct? Could you post full raw event as well?</P> Wed, 09 Sep 2015 15:39:15 GMT somesoni2 2015-09-09T15:39:15Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207884#M60588 <P>Hello All,</P> <P>I am brand new to Splunk and can't for the life of me figure out what I am doing wrong. I would like to pull the following data from raw text (about 10 lines of so of raw text), extract to a new field and then replace data in that field from paren number paren with a period. So (number) with . </P> <PRE><CODE>Sample data (1)dkfj(10)dkeiieii(2)ljflkkldj(3) (2)datadata(1)dta(10)dat(2) (8)sample(3)sample(0) </CODE></PRE> <P>I am using the following command in Splunk, but when I try to display the results, I get blank data: </P> <PRE><CODE>tag=unencoded | rex "(?&lt;formatEncode&gt;(\(\d+\))(\w+\(\d+\))+\w+(\(\d+\))" | rex mode=sed field=formatEncode "s/([0-9])/./g" | stats by formatEncode </CODE></PRE> <P>I tested the regex and the sed substitution and both work just fine. I get the following error when I try to run it in Splunk:</P> <PRE><CODE>Error in 'rex' command: Encountered the following error while compiling the regex '(?&lt;formatEncode&lt;(\(\d+\))(\w+\(\d+\))+\w+(\(\d+\))': Regex: missing ) </CODE></PRE> <P>Any help or pointer would be greatly appreciated.</P> <P>Thanks in advance.</P> Wed, 09 Sep 2015 15:02:54 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207884#M60588 splunker1981 2015-09-09T15:02:54Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207885#M60589 <P>Looks like you are missing a bracket at the end of your first rex command.</P> Wed, 09 Sep 2015 15:16:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207885#M60589 dkoops 2015-09-09T15:16:34Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207886#M60590 <P>I'm assuming your sample data in question is showing data to be extracted from 3 different events. <BR /> You Sample data has variable number of strings (enclosed between numbers). Is that correct? Could you post full raw event as well?</P> Wed, 09 Sep 2015 15:39:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207886#M60590 somesoni2 2015-09-09T15:39:15Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207887#M60591 <P>Actually that was the issue, thanks. </P> <P>For those trying to do something similar here is the command I used </P> <PRE><CODE>rex "(?(\(\d+\))([A-Za-z0-9_\-]+\(\d+\))+\w+(\(\d+\)))" | rex mode=sed field=formatEncode "s/\([0-9]\)/./g" | stats by formatEncode </CODE></PRE> Wed, 09 Sep 2015 15:44:20 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-rex-command-Regex-missing-quot/m-p/207887#M60591 splunker1981 2015-09-09T15:44:20Z