topic Re: Why is "rex field" not producing results when used in an API call? in Splunk Search

Why is "rex field" not producing results when used in an API call?

selsin — Wed, 01 Feb 2017 21:23:23 GMT

Search works correctly in Splunk Web:

index=xxxx | rex field=_raw "InvalidLogin\|NotFound\|(?<client>\w+)" | stats count by client

But using it in an API call returns nothing:

curl -u user:'password' -k https://localhost:8089/services/search/jobs/export -d search='search index=xxxx | rex field=_raw "InvalidLogin\|NotFound\|(?<client>\w+)" | stats count by client' -d output_mode=csv -d earliest_time="-1d" -d latest_time="-1m"

I can get other searches to execute correctly via API calls, and even other versions of this search that return multiple other fields. But if I ask it to return field "client" also, it always renders nothing for output.

Re: Why is "rex field" not producing results when used in an API call?

DalJeanis — Wed, 01 Feb 2017 22:07:42 GMT

Are there really asterisks in that regex around the word "client" in the two searches?

If asterisk-client-asterisk is a valid name, it needs to be used in the "by" clause as well as the rex.

Re: Why is "rex field" not producing results when used in an API call?

selsin — Wed, 01 Feb 2017 22:39:56 GMT

No, there are no asterisks. It is actually like this: (?<client>\w+)
When I was putting the question in, the preview window showed only (?\w+). So adding asterisks made it print in italics, but at least show correctly. Didn't know that once the question got approved and posted it would literally add the asterisks in.

Re: Why is "rex field" not producing results when used in an API call?

selsin — Wed, 01 Feb 2017 23:06:11 GMT

Corrected the above queries. They now show correctly.

Re: Why is "rex field" not producing results when used in an API call?

scott_cultuream — Sun, 11 Jun 2017 13:17:12 GMT

Were you able to figure this out? I'm having the same issue. rex doesn't seem to generate new fields when used in the API

Re: Why is "rex field" not producing results when used in an API call?

selsin — Mon, 12 Jun 2017 14:03:38 GMT

No was never able to get it to work. We ended up having to write a perl script to parse the output instead.

Re: Why is "rex field" not producing results when used in an API call?

scott_cultuream — Mon, 12 Jun 2017 20:45:40 GMT

I actually was able to make it work.

For some reason, the rex expression that I was using in the UI didn't work. But when I rewrote to be based off of _raw rather than another field, that did the trick. You have to write a more complex expression, but for me, it wasn't terrible.

Re: Why is "rex field" not producing results when used in an API call?

micahkemp — Wed, 14 Jun 2017 14:15:26 GMT

Have you tried specifying your search with --data-urlencode instead of -d (which doensn't URL encode). Your search contains a +, which I believe represents a space unless URL encoded.

Re: Why is "rex field" not producing results when used in an API call?

selsin — Wed, 14 Jun 2017 15:13:32 GMT

That did it. Thanks!