Reporting

Rex positive lookahead (?=) in dashboard causing "waiting for data"

rivium_ro_mc
Explorer

Does anyone know why a lookahead such as the following causes a dashboard panel to hang with "waiting for data", but works perfectly when run in an independent search?

 

rex field=foo "(?=\w+$)(?P<bar>\w+$)"

 

Stranger still - if the rex command is ``` commented out ```, the issue continues to occur.

For context, the panel is a tabular drilldown panel that uses a boolean token to display on/off, and two tokens for earliest and latest values, based on the selected "row" of a column chart using $row._time and relative_time($row._time$, "+1h"). The panel displays without issue when the rex is removed. Other rex commands work without issue.

The solution in this case was to remove the lookahead entirely. However, given the status of "waiting for data", does anyone know the cause (and thus ways to avoid this issue in general)?

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

How many $ signs do you have in your regex?

If you make a search which includes that rex statement as shown in your post and save it as a dashboard panel, in the raw XML, you will see

| rex field=_raw "(?=\w+$$)(?P&lt;bar&gt;\w+$$)"

The panel search in UI mode shows a single $. If you edit the XML and remove one of the $ the UI panel search still shows a single $, but the panel search doesn't work and shows 'waiting for input'  - not quite the same as waiting for data, but I suspect it's the $ signs relating to the tokens that is the issue.

Note, your post said $row._time with no trailing $ - could be a typo, but generally non functional searches with tokens in the are often the source of this problem

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

@rivium_ro_mc - You have given answer to why you were getting that error by @bowesmana .

 

I'm just wondering why you need positive lookahead, any examples you can give to what should be matched and what not?

Why cannot you use this regex directly?

(?P<bar>\w+$)

 

0 Karma

rivium_ro_mc
Explorer

Thanks @VatsalJagani. As you've indicated, the positive lookahead is not required in this case.

I was looking ahead for a particular string, before realising that the target string was present at the end of the source data (this won't always be the case). I initially appended the desired text to the existing lookahead, followed by the end of line ($), at which point I noticed the odd behaviour.

The issue was resolved quite quickly as you've described by removing the lookahead.

The question was more in regards to why the rex string was causing Splunk to behave as if a token wasn't being passed to the drilldown. The description of $$ vs $ in the SimpleXML source provides a good explanation of why this likely occurred and how it could be resolved if alternative regex such as [\r\n] isn't (or can't be) implemented.

VatsalJagani
SplunkTrust
SplunkTrust

@rivium_ro_mc - got it. 

Thanks for explanation!!!

0 Karma

rivium_ro_mc
Explorer

Thanks - to clarify, the original message was quite likely "waiting for input" rather than "waiting for data", and you're correct regarding the typo for $row._time with no trailing $.

I believe I originally edited from the GUI, but it makes sense that the regex end of line was being interpreted as part of a token string to prompt with this message. In the case of 'end of string' inputs, the lookahead won't be required, and for other inputs, I imagine [\r\n] or variants could be used.

Thanks for the quick response 🙂

0 Karma

bowesmana
SplunkTrust
SplunkTrust

How many $ signs do you have in your regex?

If you make a search which includes that rex statement as shown in your post and save it as a dashboard panel, in the raw XML, you will see

| rex field=_raw "(?=\w+$$)(?P&lt;bar&gt;\w+$$)"

The panel search in UI mode shows a single $. If you edit the XML and remove one of the $ the UI panel search still shows a single $, but the panel search doesn't work and shows 'waiting for input'  - not quite the same as waiting for data, but I suspect it's the $ signs relating to the tokens that is the issue.

Note, your post said $row._time with no trailing $ - could be a typo, but generally non functional searches with tokens in the are often the source of this problem

Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...