Re: Error in 'rex' command: Invalid argument: ' ' ...

russell120 · ‎08-19-2019

Hi, I have a daily search that suddenly stopped working (upgraded from 6.7 to 7.1 before it stopped working, I believe):

|inputlookup my_file.csv
|eval shared_sources="master_source"
|append
   [search sourcetype="my_sourcetype" 
    |fields someIPs host
    |dedup someIPs 
    |rex field=host mode=sed "s/\..*$//"
    |rename someIPs as ip
    |rename host as host_my_sourcetype
    |eval shared_sources="my_sourcetype"]

What's the issue with my rex command?

woodcock · ‎08-19-2019

Upgrade to the latest maintenance release; there is nothing wrong with your rex.

russell120 · ‎08-19-2019

Just verified that the version we're using is 7.1.7. Is there any indication on what maintenance release we currently have in the Splunk version?

oscar84x · ‎08-19-2019

Does the sub-search work if you run it by itself or do you get the same error?

russell120 · ‎08-19-2019

@oscar84x I still get the same error

mayurr98 · ‎08-19-2019

could you provide sample test values for the host?

russell120 · ‎08-19-2019

@mayurr98 Sure, they're all in this format: GHRCEDC4BA.ghij.def.abc

Error in 'rex' command: Invalid argument: ' ' -- How do I fix this issue?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?