create new field with REST API of splunk

snigdha9nov · ‎01-24-2019

I am new in splunk... I am trying to create a new field(want to give a name as "gen") from raw events of train.csv (mydataset) by using regular expression of splunk REST api . my same regualar expression is working well in splunk web page but getting parenthesis error .
here is my code
curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/export -d search="search source=train.csv |rex field=_raw '^(?:[^,\n]*,){5}(?P\w+,)'| top gen"

but getting error
FATAL">Error in 'rex' command: Encountered the following error while compiling the regex ''^(?:[^': Regex: missing closing parenthesis

I have checked no parenthesis missing...please help me to get right code

harsmarvania57 · ‎01-25-2019

Hi @snigdha9nov,

You can try below command which works fine and it will extract field called extracted_field

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/export -d search="search source=train.csv |rex field=_raw \"^(?:[^,\n]*,){5}(?P<extracted_field>\w+,)\"| top gen"

For example I am running below query in my lab to extract IP address from _internal index and it is working fine.

curl -vk -u admin:mypass https://localhost:8089/services/search/jobs/export -d search="search index=_internal source=*splunkd.log | rex \"from\s(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\"

snigdha9nov · ‎01-25-2019

fieldOrder>

thanks a lot ...but I am unable to see the result

gen
count
percent
_tc

Configuration initialization for /Applications/Splunk/etc took 19ms when dispatching a search (search ID: 1548407977.58)
base lispy: [ AND source::train.csv ]

harsmarvania57 · ‎01-25-2019

If you look at the document https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTREF/RESTsearch#search.2Fjobs.2Fexport then it is saying that search/jobs/export will stream results as they become available, if you want to search the data and then retrieve result once job will complete then use other rest endpoint

For example:

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs -d search="search source=train.csv |rex field=_raw \"^(?:[^,\n]*,){5}(?P<extracted_field>\w+,)\"| top gen" -d id=mysearch -d earliest_time=-15m@m

And to retrieve results in another request

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/mysearch/results --get -d output_mode=json

snigdha9nov · ‎01-25-2019

curl -k -u admin:password https://localhost:8089/services/search/jobs/1548409940.125/results --get -d output_mode=json

why getting this
{"messages":[{"type":"FATAL","text":"Unknown sid."}]}

harsmarvania57 · ‎01-25-2019

From where you got this SID 1548409940.125 ? If you do not want to rely on Splunk generated SID then you can supply user friendly SID name (-d id=mysearch) when firing search, see example I have given above and use that SID to retrieve results.

snigdha9nov · ‎01-25-2019

{"preview":false,"init_offset":0,"post_process_count":0,"messages":[],"results":

I

harsmarvania57 · ‎01-25-2019

This means that query didn't find any matching events, please wider your time span.

snigdha9nov · ‎01-25-2019

DEBUG">Configuration initialization for /Applications/Splunk/etc took 19ms when dispatching a search (search ID: 1548416060.239)
base lispy: [ AND source::train.csv ]

still facing this problem

create new field with REST API of splunk

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2