Splunk Search

How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector."

MarkSplunker
Explorer

Why does this rex query work fine in a simple search, but then fail when used in both a primary and a subsearch? I need to parse fields in both places. I built an initial query that worked fine alone, then created a subsearch and copied/pasted the identical rex into it. It now fails with the error "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." This doesn't make sense to me since it worked alone, but now with two copies of them it fails.

What do you think is going on, and how do I fix it? The purpose is to find Devices with Tasks that failed at one time, but where a later Task succeeded. Thanks so much.

Here is the code, although for some reason the * asterisks after each dot (.) in the regexes don't seem to come through in the preview window:

source="File1.csv" index="inventory-legacy" | regex Notes="^Succ.*" | transaction Description | rex field=Description "^(?<TaskID>[^-]+).*" | rex field=Description "^[^-]+-(?<DeviceName>.*)" [ search source="File1.csv" index="inventory-legacy" | regex Notes="^Fail.*" | transaction Description | rex field=Description "^(?<TaskID>[^-]+).*" | rex field=Description "^[^-]+-(?<DeviceName>.*)" | dedup DeviceName, TaskID | fields DeviceName ] |sort  -_time, +TaskID, +DeviceName | table _time, TaskID, DeviceName, Description, Notes

More background: Initially I tried a simple query using (Notes="Succ*" OR Notes="Fail*") [thank you RickGalloway for your input] which does indeed pull all records, both successes and failures, but it's not quite what I want. I created the subsearch to first identify Devices associated with a particular TaskID that attempted an action at one time and failed. Once we have that pool of devices, the primary search looks to see which of those devices subsequently ran with a new TaskID that did succeed. Using a subsearch should greatly reduce the events returned, and will provide the answer I need to the question: "Which TaskID (a set of tests run on a Device) subsequently succeeded after a previous TaskID (different tests) had failed?" Thanks!

0 Karma
1 Solution

Raschko
Communicator

I guess the results of your subsearch are appended to the rex command. That's why you get the rex error.

Can you try to add

| search

in front of the subsearch?

View solution in original post

Raschko
Communicator

I guess the results of your subsearch are appended to the rex command. That's why you get the rex error.

Can you try to add

| search

in front of the subsearch?

MarkSplunker
Explorer

Excellent! Thank you Raschko, that did it. I didn't realize that rex would keep looking past the final double quote and get confused. I guess we need to fully terminate that command and start a new search. Thanks again!

0 Karma

MuS
Legend

Is this just an typo or are you missing a | after the second rex command ?

0 Karma

MarkSplunker
Explorer

Hi, MuS. Thanks for responding. From my understanding and experience, subsearches provide an argument to the primary search. The subsearch runs first and provides results in the field DeviceName, which are then used to pull matching events in the primary search. When I tried inserting a | as you suggested it throws the error message: "Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '228' of search query 'search source="File1.c...{snipped} {errorcontext = me>.*)" | [ search so}'."

0 Karma

maciep
Champion

I don't do a lot with subsearch, so no expert here. But I think to the point MuS is making...you can just return your results into the existing rex command. Maybe you can try piping it to where instead. Or can you put your subsearch in before the first pipe? If the goal is to limit your results to DeviceNames from the subsearch, that should work right?

keeping in mind that I think that subsearch will return something like "(DeviceName="somedevice1" OR DeviceName="somedevice2" OR ...)

So maybe either

... | where [source=.....] | sort - _time ...

OR

source="File1.csv" index="inventory-legacy" [source= ....] | regex Notes="^Succ.*" | ....

0 Karma

jeffland
SplunkTrust
SplunkTrust

Please post regex as code, otherwise the markup will mess them up. Also, maybe you don't need a subsearch at all if we can extract both success and failure in one go - can you post some sample data?

0 Karma

MarkSplunker
Explorer

Hi, Jeffland. I don't know how to post regex as code, and a google search didn't provide a useful answer. Can you explain how to do that, or post a link? Thanks for your help.

0 Karma

jeffland
SplunkTrust
SplunkTrust

You either enclose it in grave accents: `, or for longer code samples leave one line blank and indent each following line by four spaces.
You can also write your code, select it and use the fifth button on top of the text box.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...