Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting error in rex command while running search for DB health check report.

firefox95
Observer
‎09-02-2020 01:11 AM

Hello Splunkers,

I'm working on creating a DB health check report. Idea is to get the  error info when there is  a failed db connection.  When I'm trying to run the search below in Splunk QA I'm getting an error as Error in 'rex' command: Encountered the following error while compiling the regex '^(?<error>.*)\n?': Regex: syntax error in subpattern name (missing terminator).

Could you please help me resolve this issue? Thanks in advance. 

index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*"
| eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S")
| join type=left connection [search index="_internal" sourcetype=dbx_server ERROR
| rex field=_raw "^(?<error>.*)\n?"
| rex field=error "/api/connections/(?<connection>[^/]+)"]
| stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name
| sort - status
Labels (2)
Labels
Tags (1)
0 Karma
Reply

Nisha18789
Builder
‎09-02-2020 01:26 AM

hi @firefox95 , if you are using this search for a report , please use below 

index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*"
| eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S")
| join type=left connection [search index="_internal" sourcetype=dbx_server ERROR
| rex field=_raw "^(?<error>.*)\n?"
| rex field=error "/api/connections/(?<connection>[^/]+)"]
| stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name
| sort - status

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-02-2020 01:23 AM

Hi @firefox95,

the first regex isn't so clear for me, because it seems that you take with the first regex all the _raw and with the second a part of it, so why you extracted twice?

could you share an example of your logs?

Then when you insert codes please use the "Insert/Edit Code Sample" button (the one with "</>").

At least why do you use Join between in a search on the same index? remember that there's the limit of 50,000 results in subsearches, maybe it's possible to run a simpler search.

Ciao.

Giuseppe

0 Karma
Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!