All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using rex simple-xml with javascript extensions

bmacias84
Champion
‎07-13-2014 04:30 PM

Hello,

I am running into a problem where I am attempting to use rex command similar to the Custom Chart Overlay in Simple XML examples.

I know my search works in simple xml.



earliest=-2hr latest=now

| fields time_taken, cs_uri_stem, sc_status

| rex field=sc_status \"(?<200>2\d\d)\"

 |rex field=sc_status \"(?<300>3\d\d)\"

| rex field=sc_status \"(?<400>4\d\d)\"

| rex field=sc_status \"(?<500>5\d\d)\"

| rex field=cs_uri_stem \"(?<uri>/[\w\d]{0,13})\"

| eval uri=lower(uri) |bucket _time span=2m

| stats count(200) as 200, count(300) as 300, count(400) as 400, count(500) as 500, avg(time_taken) as AvgTime by _time uri

but in the following it doesnt



            <div id="base-search"

                 class="splunk-manager"

                 data-require="splunkjs/mvc/searchmanager"

                 data-options='{

                    "earliest_time": "-2@h",

                    "latest_time": "now",

                    "cache": "60",

                    "search": ".... earliest=-2hr latest=now

                                | fields time_taken, cs_uri_stem, sc_status

                                | rex field=sc_status \"(?&lt ;200&gt ;2\d\d)\"

                                | rex field=sc_status \"(?&lt ;300&gt ;3\d\d)\"

                                | rex field=sc_status \"(?&lt ;400&gt ;4\d\d)\"

                                | rex field=sc_status \"(?&lt ;500&gt ;5\d\d)\"

                                | rex field=cs_uri_stem \"(?&lt ;uri&gt ;/[\w\d]{0,13})\"

                                | eval uri=lower(uri) |bucket _time span=2m

                                | stats count(200) as 200, count(300) as 300, count(400) as 400, count(500) as 500, avg(time_taken) as AvgTime by _time uri"

                 }'>

What gives?

Thanks in advance

0 Karma
Reply

lukeh
Contributor
‎03-23-2015 07:23 PM

mathu has it, you have to use a backslash to escape the double quotes.

I also had to escape the existing backslashes in my regex:

| rex field=cst_ls_segment \"LS\\d+\\s+(?&lt;segment&gt;.*)\"

Cheers,

Luke.

0 Karma
Reply

bmacias84
Champion
‎07-17-2014 09:06 AM

I would post the job inspector, but as soon I add regex it never makes it to the search manager.

0 Karma
Reply

mathu
Path Finder
‎07-14-2014 10:50 PM

can you post the resulting search (from the job inspector)?

0 Karma
Reply

bmacias84
Champion
‎07-14-2014 04:24 PM

Sorry I forgot to added the double backslash. The part that having problems is the rex extraction. It does nots like the html encoding of the greater/ less than symbols or the symbol.

0 Karma
Reply

mathu
Path Finder
‎07-14-2014 01:30 PM

Use a backslash to escape the double quotes.
Single quotes don't work because of "data-options" which is already quoted with singles.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2014 04:34 PM

Make sure you either escape the double quotes within the search string or use single quotes around it instead.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...