Splunk Search

Field extraction receiving error message

atatistcheff
Explorer

Any time I try using the Extract Field option in an event list the next page returns this error:

Error in 'rex' command:

The regex '//' does not extract anything. It should specify at least one named group. Format: (?...).

This used to work but it's been a few months since I tried it. I'm not doing anything special as you can see. The regex is just // yet it returns nothing. I tried restarting Splunk but I think something is broken somewhere.

0 Karma
1 Solution

atatistcheff
Explorer

I found the problem, there was a field extraction saved with just // in the regex. Not sure how it got there or why it was screwing up the extract. Deleting this extraction fixed the issue, I can now proceed through the wizard to extract additional fields.

alt text

View solution in original post

atatistcheff
Explorer

I found the problem, there was a field extraction saved with just // in the regex. Not sure how it got there or why it was screwing up the extract. Deleting this extraction fixed the issue, I can now proceed through the wizard to extract additional fields.

alt text

woodcock
Esteemed Legend

Great job! Now come back here and click Accept on your answer to close the question.

0 Karma

atatistcheff
Explorer

Thanks for the answer but I have no way to mention a field name. To be clear, all i'm doing is clicking the Extract Fields option in the event and getting an error. Please see the screenshots below.

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

The screenshots are not attached.

0 Karma

atatistcheff
Explorer

Sorry, I'm not good at attaching. See if you can find them here.

alt text
alt text

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

In which Splunk Version you are getting this error?

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

According to me, you have to mention field name in rex, which you can use further,
like (?<Name>//)

Please refer doc for more info:
https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...