In Splunk 6.6.1, it seems like multiple rex commands with the same field name does no longer work in Fast or Smart mode, if it's followed by for example stats or table.
I want to rex the words "please", "extract" and "me":
index=test please_extract_me | rex "(?<my_field>.*)_extract_me" | rex "please_(?<my_field>.*)_me" | rex "please_extract_(?<my_field>.*)" | stats count by my_field
Usually, regardless of what search mode was used, I would/should get three lines as result. Now I have to select Verbose mode to get it to work; in Fast or Smart mode, only the last rex works and will show up in the count.
One way around this is apparently by doing this, as if the different rex's would create multiple fields with the same name instead of one field with multiple values:
index=test please_extract_me | rex "(?<my_field>.*)_extract_me" | rex "please_(?<my_field>.*)_me" | rex "please_extract_(?<my_field>.*)" | fields * | stats count by my_field
Anyone else experiencing this?
bug tag and open a support case. Also go to the documentation page for the release notes and leave a comment there that a note should be added.
My comment is only valid assuming that you are entirely correct about the change in behavior, which may not be the case.
You're using the same field name in all your rex commands, so every rex command is overwriting the value from previous rex command hence you would see value
me that was extracted from last regex. That's how rex behaves regardless of Search mode selected (as seen in Splunk 6.2, 6.3). Do you really get multiple field values from your query when you run the search in Verbose mode?
That is really strange. Would you be able to share a screenshot with results of query in verbose mode something like this?
index=test please_extract_me| head 2 | rex "(?<my_field>.*)_extract_me" | rex "please_(?<my_field>.*)_me" | rex "please_extract_(?<my_field>.*)" | table my_field
AFAIK, The dashboards queries are run in fast mode, so wonder it ever worked.
That's not my understanding of how it ever worked... so if it DOES work in verbose mode, that is probably a bug in verbose mode. Each rex should overwrite the field... I have rexes in production that assume this, and that are working as designed.
But I know for a fact that it has actually worked before, since I've built functioning dashboards around this behavior, that now don't work any longer.
And again, adding
fields * after the multiple rex commands makes it work, which to me doesn't make sense.
A later failed-to-match
rex has never overwritten an earlier succeeded-to-mach
rex, in my experience. Perhaps this is what he means (that a later null-match is clearing an earlier match).