Reporting

Rex positive lookahead (?=) in dashboard causing "waiting for data"

rivium_ro_mc
Explorer

Does anyone know why a lookahead such as the following causes a dashboard panel to hang with "waiting for data", but works perfectly when run in an independent search?

 

rex field=foo "(?=\w+$)(?P<bar>\w+$)"

 

Stranger still - if the rex command is ``` commented out ```, the issue continues to occur.

For context, the panel is a tabular drilldown panel that uses a boolean token to display on/off, and two tokens for earliest and latest values, based on the selected "row" of a column chart using $row._time and relative_time($row._time$, "+1h"). The panel displays without issue when the rex is removed. Other rex commands work without issue.

The solution in this case was to remove the lookahead entirely. However, given the status of "waiting for data", does anyone know the cause (and thus ways to avoid this issue in general)?

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

How many $ signs do you have in your regex?

If you make a search which includes that rex statement as shown in your post and save it as a dashboard panel, in the raw XML, you will see

| rex field=_raw "(?=\w+$$)(?P&lt;bar&gt;\w+$$)"

The panel search in UI mode shows a single $. If you edit the XML and remove one of the $ the UI panel search still shows a single $, but the panel search doesn't work and shows 'waiting for input'  - not quite the same as waiting for data, but I suspect it's the $ signs relating to the tokens that is the issue.

Note, your post said $row._time with no trailing $ - could be a typo, but generally non functional searches with tokens in the are often the source of this problem

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

@rivium_ro_mc - You have given answer to why you were getting that error by @bowesmana .

 

I'm just wondering why you need positive lookahead, any examples you can give to what should be matched and what not?

Why cannot you use this regex directly?

(?P<bar>\w+$)

 

0 Karma

rivium_ro_mc
Explorer

Thanks @VatsalJagani. As you've indicated, the positive lookahead is not required in this case.

I was looking ahead for a particular string, before realising that the target string was present at the end of the source data (this won't always be the case). I initially appended the desired text to the existing lookahead, followed by the end of line ($), at which point I noticed the odd behaviour.

The issue was resolved quite quickly as you've described by removing the lookahead.

The question was more in regards to why the rex string was causing Splunk to behave as if a token wasn't being passed to the drilldown. The description of $$ vs $ in the SimpleXML source provides a good explanation of why this likely occurred and how it could be resolved if alternative regex such as [\r\n] isn't (or can't be) implemented.

VatsalJagani
SplunkTrust
SplunkTrust

@rivium_ro_mc - got it. 

Thanks for explanation!!!

0 Karma

rivium_ro_mc
Explorer

Thanks - to clarify, the original message was quite likely "waiting for input" rather than "waiting for data", and you're correct regarding the typo for $row._time with no trailing $.

I believe I originally edited from the GUI, but it makes sense that the regex end of line was being interpreted as part of a token string to prompt with this message. In the case of 'end of string' inputs, the lookahead won't be required, and for other inputs, I imagine [\r\n] or variants could be used.

Thanks for the quick response 🙂

0 Karma

bowesmana
SplunkTrust
SplunkTrust

How many $ signs do you have in your regex?

If you make a search which includes that rex statement as shown in your post and save it as a dashboard panel, in the raw XML, you will see

| rex field=_raw "(?=\w+$$)(?P&lt;bar&gt;\w+$$)"

The panel search in UI mode shows a single $. If you edit the XML and remove one of the $ the UI panel search still shows a single $, but the panel search doesn't work and shows 'waiting for input'  - not quite the same as waiting for data, but I suspect it's the $ signs relating to the tokens that is the issue.

Note, your post said $row._time with no trailing $ - could be a typo, but generally non functional searches with tokens in the are often the source of this problem

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...