Splunk Search

How to use the field extraction expression directly using a Rex command ?

Real_captain
Path Finder

Hi Team 

Can you please let me know how can i use the below Field extraction formula directly using the rex command ? 

Field extraction formula : 
^(?:[^,\n]*,){7}\s+"\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)

Real_captain_0-1728286145559.png

 

 

 

Labels (1)
0 Karma

Real_captain
Path Finder

Hi @inventsekar 
Error is faced with the first rex command. 

Real_captain_0-1728293769789.png

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

As it has already said you must escape all special characters!

...
| rex "(?P<POH>[^\"]+)"

should fix this one. Just do rest with same way. 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Real_captain, could you pls avoid creating duplicate posts
on your yesterday's post, could you pls provide us some more suggestions, details.. then troubleshooting your issue will become easier. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

PickleRick
SplunkTrust
SplunkTrust

@inventsekar This one is actually a bit different from those two yesterday's threads I merged into one.

@Real_captainInline extractions must use named capture groups which directly translate to extracted fields (with transform-based extractions you can use numbered capture groups to define fields).

So you can simply do

| rex "your_regex_here"

With just one caveat. Since the argument to rex command is a string you have to properly escape all necessary characters (mostly quotes and backslashes).

0 Karma

Real_captain
Path Finder

@PickleRick  

I am getting below error while using the expression with the rex command: 

| rex "^(?:[^,\n]*,){7}\s+"\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)"

Real_captain_0-1728291517363.png

 

Error in 'SearchParser': Missing a search command before '^'. Error at position '161' of search query 'search index="events_prod_val_ssip_esa" sourcetype...{snipped} {errorcontext = "(?P<POH>[^"]+)"}'.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As I said - you have to escape the sensitive characters within the string argument. Which means that instead of single backslash you have to use two backslashes, instead of just a quote you need an escaped quote (backslash quote).

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Real_captain , troubleshooting a rex command is often a difficult task. 
Particularly when we dont know what is the issue itself. 

to understand the error msg (search command required before "^"...), if you could copy paste a sample log line, that would be great (remove sensitive details like hostnames, ip address, etc). 

maybe try this step by step troubleshooting.. 

first this rex command:
| rex "(?P<POH>[^"]+)" | table POH

then second this rex command:
| rex "\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)" | table POH

at last, this rex command:
| rex "^(?:[^,\n]*,){7}\s+"\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)" | table POH

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...