Solved: S.o.S - Splunk on Splunk & 6.5.0: How to resolve "...

tmblue · ‎10-20-2016

Error in 'rex' command: Encountered the following error while compiling the regex 'search(_|\s)--id=(?<sid>[_-\w\.]+)(_|\s)--': Regex: invalid range in character class

Can't pull up SoS data, and again this seemed to work in 6.3, maybe worked in 6.4, and def does not work in 6.5. These are not my RegEx's so wondering why the current fail 🙂

Thanks
Tory

ppablo · ‎10-20-2016

Hi @tmblue

The S.o.S - Splunk on Splunk app was End of Life as of Splunk 6.3.x because it was replaced by the Distributed Management Console built into the Splunk platform, as stated at the top of the Overview of the app's page: https://splunkbase.splunk.com/app/748/

For 6.2.x, 6.3.x, and 6.4.x, refer to Splunk documentation for the Distributed Management Console:
6.2.x: http://docs.splunk.com/Documentation/Splunk/6.2.12/Admin/ConfiguretheMonitoringConsole
6.3.x: http://docs.splunk.com/Documentation/Splunk/6.3.8/DMC/DMCoverview
6.4.x: http://docs.splunk.com/Documentation/Splunk/6.4.5/DMC/DMCoverview

As of 6.5.x, it is now called the Monitoring Console:
http://docs.splunk.com/Documentation/Splunk/6.5.0/DMC/DMCoverview

View solution in original post

ejharts2015 · ‎01-18-2017

Just for others, we still use SoS on 6.5 and ran into this same issue. Changed this regex line to get the search to return:

| rex field=ARGS "search(_|\s)--id=(?<sid>[_\-\w\.]+)(_|\s)--"

ppablo · ‎10-20-2016