Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a syntax error in my search to extract a field from the source field?

HMTODD
Explorer
‎11-08-2016 06:33 AM

I am using the following search to extract a field, named 'JobName", from the field named "source"

index="nlg_test_csv_mfjobs" | rex field=source "SPLUNK\\(?[A-Z0-9]+)*_REPORT.*DETAILS.*\.CSV"

and I get this error:

Error in 'rex' command: Encountered the following error while compiling the regex 'SPLUNK\(?[A-Z0-9]+)*_REPORT.*DETAILS.*\.CSV': Regex: unmatched parentheses

I cannot find where the parenthesis are unmatched, unless they are being affected by the regular expression. The expression works in various online regex testers. I am concerned about some Splunk specific syntax that I may not be taking into account.

thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2016 07:28 AM

The right parenthesis needs to be escaped.

SPLUNK\(?[A-Z0-9]+\)*_REPORT.DETAILS..CSV

Depending on the data you are trying to match, one or more of the dots may need to be escaped as well.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-08-2016 11:33 AM

Give this a try

index="nlg_test_csv_mfjobs" | rex field=source "SPLUNK\\\(?<JobName>[A-Z0-9]+)*_REPORT\.DETAILS\.CSV"
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2016 07:28 AM

The right parenthesis needs to be escaped.

SPLUNK\(?[A-Z0-9]+\)*_REPORT.DETAILS..CSV

Depending on the data you are trying to match, one or more of the dots may need to be escaped as well.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

HMTODD
Explorer
‎11-08-2016 10:16 AM

I am not a regx expert, but "guessed" that something was messing with the parenthesis (based on the error). Ultimately, this worked...

rex field=source "SPLUNK\(?[A-Z0-9]+)_REPORT.*DETAILS..CSV"

0 Karma
Reply
Solved! Jump to solution

HMTODD
Explorer
‎11-08-2016 10:18 AM

Note that the string is being modified by the page after I submit. The string here is NOT correct. Let's try this. Note that the real search string does not have the outer quotes.

" rex field=source "SPLUNK\(?[A-Z0-9]+)_REPORT.*DETAILS..CSV" "

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2016 11:32 AM

So parens are not literally in your events. Didn't guess that without sample data. The new regex doesn't work in regex101.com, BTW, but that's probably a markup problem. If you put your regexes inside back-tics it won't be messed with by the site.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...