Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

rex invalid argument

stwong
Communicator
‎05-30-2017 08:26 PM

Hi,

We're using 6.5.3. Got error "Error in 'rex' command: Invalid argument: ' ' " for query like following:

index=security source="/data/*/vpn" IP=192.168.206.176 OR outerIP=192.168.206.176
            | rex field=_raw "IP=(?<VPN_IP>[^\s]*).*DN:.*outerIP=(?<clientIP>[^\s]*)"

I tried to replace with a simpler expression like "^(?<EveryThing>.*)$" but also get the same error.

Would anyone please help? Sorry for the newbie question.

Thanks and regards

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎05-30-2017 09:12 PM

Interesting. It is not you, it is something quite strange. The rex works just fine for me on some mocked up data. It is possible that there is some invisible/nonprintable control character in your search causing the problem. First, copy the entire search to notepad, verify that it is plain text, then ctrl-a ctrl-v to paste it back into splunk and submit the search again. If you get the same error, then proceed with these triage steps...

Okay, here's some triage steps. First, do this and check to see that there is a _raw field in the output...

 index=security source="/data/*/vpn" IP=192.168.206.176 OR outerIP=192.168.206.176 | head 1

Next, add just this line after the above. Copy and paste it from here...

| rex "IP=(?<VPN_IP>[^\s]*)"

If that causes an error, then please post the exact wording of the error, and a non-confidential version of the _raw. If there is no error, then add this line and run again...

| rex "outerIP=(?<clientIP>[^\s]*)

If there is no error yet, then let us know and we can try to determine what was wrong with the rex. If the error does crop up, then when it appears, we will have more information.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎05-30-2017 09:12 PM

Interesting. It is not you, it is something quite strange. The rex works just fine for me on some mocked up data. It is possible that there is some invisible/nonprintable control character in your search causing the problem. First, copy the entire search to notepad, verify that it is plain text, then ctrl-a ctrl-v to paste it back into splunk and submit the search again. If you get the same error, then proceed with these triage steps...

Okay, here's some triage steps. First, do this and check to see that there is a _raw field in the output...

 index=security source="/data/*/vpn" IP=192.168.206.176 OR outerIP=192.168.206.176 | head 1

Next, add just this line after the above. Copy and paste it from here...

| rex "IP=(?<VPN_IP>[^\s]*)"

If that causes an error, then please post the exact wording of the error, and a non-confidential version of the _raw. If there is no error, then add this line and run again...

| rex "outerIP=(?<clientIP>[^\s]*)

If there is no error yet, then let us know and we can try to determine what was wrong with the rex. If the error does crop up, then when it appears, we will have more information.

0 Karma
Reply
Solved! Jump to solution

stwong
Communicator
‎05-31-2017 08:12 PM

Hello,

Thanks a lot.

Right, probably some invisible characters embedded as I copied the query from an app installed.
It works if I typed it from scratch.

Thanks again.
Best Regards

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...