Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my rex command not working?

rajasplunk89
Engager
‎09-13-2022 09:44 PM

Hi all,

I am trying to extract field ABDEF-999 in the name Id. But its not extracting when I use below commands. Could someone guide on what's the mistake in following rex.

|rex field="line" "\"Testcode\":\"(?<id>[^\"]*)\""|table id

 

Extracting from =   \\\"Testcode\\\":\\\"ABDEF-999\\\"

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-14-2022 02:05 AM

@rajasplunk89 ,

Sorry, Splunk needs an extra escape for backslash; 

| rex field=line "\"Testcode\S+\":\S+\"(?<id>[^\\\]+)\S+\"" | table id
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

rajasplunk89
Engager
‎09-13-2022 10:26 PM

Is there anything I can do to resolve the error?

0 Karma
Reply

rajasplunk89
Engager
‎09-13-2022 10:05 PM

Error in 'rex' command: Encountered the following error while compiling the regex '"Testcode\S+":\S+"(?<id>[^\]+)\S+"': Regex: missing terminating ] for character class

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-13-2022 09:52 PM

Hi @rajasplunk89,

Below should work;

| rex field=line "\"Testcode\S+\":\S+\"(?<id>[^\\]+)\S+\"" | table id
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...