Hello Splunkers,
I'm working on creating a DB health check report. Idea is to get the error info when there is a failed db connection. When I'm trying to run the search below in Splunk QA I'm getting an error as Error in 'rex' command: Encountered the following error while compiling the regex '^(?<error>.*)\n?': Regex: syntax error in subpattern name (missing terminator).
Could you please help me resolve this issue? Thanks in advance.
index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*"
| eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S")
| join type=left connection [search index="_internal" sourcetype=dbx_server ERROR
| rex field=_raw "^(?<error>.*)\n?"
| rex field=error "/api/connections/(?<connection>[^/]+)"]
| stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name
| sort - status
hi @firefox95 , if you are using this search for a report , please use below
index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*"
| eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S")
| join type=left connection [search index="_internal" sourcetype=dbx_server ERROR
| rex field=_raw "^(?<error>.*)\n?"
| rex field=error "/api/connections/(?<connection>[^/]+)"]
| stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name
| sort - status
Hi @firefox95,
the first regex isn't so clear for me, because it seems that you take with the first regex all the _raw and with the second a part of it, so why you extracted twice?
could you share an example of your logs?
Then when you insert codes please use the "Insert/Edit Code Sample" button (the one with "</>").
At least why do you use Join between in a search on the same index? remember that there's the limit of 50,000 results in subsearches, maybe it's possible to run a simpler search.
Ciao.
Giuseppe