https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251911#M75317 <P>Additional question 'to the same scenario': If we would have the following (<STRONG>within</STRONG> the same event)</P> <P>1000 dir1<BR /> 1200 dir2<BR /> 1550 dir3<BR /> Etc.</P> <HR /> <PRE><CODE> .... | rex "(?&lt;size&gt;\d+)\s+(?&lt;dir&gt;\w+)" | eval GB=(size/1024)/1024 | timechart mode(GB) as Size by dir </CODE></PRE> <P>This will give me <STRONG>only</STRONG> the first line, which is 1000 and dir1. <STRONG>How</STRONG> do I extract the sample above so that I have different events for <STRONG>all</STRONG> (directories and total values)?</P> Mon, 23 May 2016 07:08:07 GMT edwinmae 2016-05-23T07:08:07Z https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251908#M75314 <P>I run a daily script on the server, <STRONG>du -sk</STRONG>, against a certain directory that contains 200 subdirectories and write that to a <STRONG>.txt</STRONG> file</P> <P>Example output (of the .txt file)</P> <P>1000 name1 (1000 = size (total) and name1 = subdirectory)<BR /> 1100 name2<BR /> 1200 name3</P> <HR /> <P>In Splunk this shows in a similar way as above<BR /> <STRONG>Time</STRONG> and <STRONG>Event</STRONG> (Event data is 1000 name1) <EM>-- example --</EM></P> <P>Next line = 1100 name2, etc. <EM>--- every line looks like a 'separate' event (=line) in Splunk --</EM></P> <HR /> <P>Now when I try to Extract new fields it throws: </P> <PRE><CODE>Error in 'rex' command: Encountered the following error while compiling the regex '(?i)^(?P[^\t]+)': Regex: syntax error in subpattern name (missing terminator) </CODE></PRE> <HR /> <P>Target is to show the output in a graph (likely in MB or GB) per 'subdirectory'. I saw a similar case, but I was not able to re-produce the solution that was stated.</P> <P>There is very likely a very simple solution for this <STRONG>to separate the e.g. 1000 from the name1</STRONG>, but I have not succeeded myself -- Yeah I know <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 17 May 2016 10:57:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251908#M75314 edwinmae 2016-05-17T10:57:52Z https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251909#M75315 <P>There's no need for the <CODE>(?i)</CODE> flag since your regex does not contain alphas. This command will extract the directory size and name.</P> <PRE><CODE>... | rex "(?&lt;size&gt;\d+)\s+(?&lt;dir&gt;\w+)" | ... </CODE></PRE> Tue, 17 May 2016 13:34:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251909#M75315 richgalloway 2016-05-17T13:34:06Z https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251910#M75316 <P>Worked -- Thanks!</P> Thu, 19 May 2016 05:09:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251910#M75316 edwinmae 2016-05-19T05:09:58Z https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251911#M75317 <P>Additional question 'to the same scenario': If we would have the following (<STRONG>within</STRONG> the same event)</P> <P>1000 dir1<BR /> 1200 dir2<BR /> 1550 dir3<BR /> Etc.</P> <HR /> <PRE><CODE> .... | rex "(?&lt;size&gt;\d+)\s+(?&lt;dir&gt;\w+)" | eval GB=(size/1024)/1024 | timechart mode(GB) as Size by dir </CODE></PRE> <P>This will give me <STRONG>only</STRONG> the first line, which is 1000 and dir1. <STRONG>How</STRONG> do I extract the sample above so that I have different events for <STRONG>all</STRONG> (directories and total values)?</P> Mon, 23 May 2016 07:08:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-rex-to-extract-Linux-directory-sizes-and-names/m-p/251911#M75317 edwinmae 2016-05-23T07:08:07Z