Splunk Search
Highlighted

Multiple rex commands no longer works in Fast/Smart mode?

In Splunk 6.6.1, it seems like multiple rex commands with the same field name does no longer work in Fast or Smart mode, if it's followed by for example stats or table.

I want to rex the words "please", "extract" and "me":

index=test please_extract_me
| rex "(?<my_field>.*)_extract_me"
| rex "please_(?<my_field>.*)_me"
| rex "please_extract_(?<my_field>.*)"
| stats count by my_field

Usually, regardless of what search mode was used, I would/should get three lines as result. Now I have to select Verbose mode to get it to work; in Fast or Smart mode, only the last rex works and will show up in the count.

One way around this is apparently by doing this, as if the different rex's would create multiple fields with the same name instead of one field with multiple values:

index=test please_extract_me
| rex "(?<my_field>.*)_extract_me"
| rex "please_(?<my_field>.*)_me"
| rex "please_extract_(?<my_field>.*)"
| fields *
| stats count by my_field

Anyone else experiencing this?

Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

Esteemed Legend

Add the bug tag and open a support case. Also go to the documentation page for the release notes and leave a comment there that a note should be added.

0 Karma
Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

Esteemed Legend

My comment is only valid assuming that you are entirely correct about the change in behavior, which may not be the case.

0 Karma
Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

SplunkTrust
SplunkTrust

You're using the same field name in all your rex commands, so every rex command is overwriting the value from previous rex command hence you would see value me that was extracted from last regex. That's how rex behaves regardless of Search mode selected (as seen in Splunk 6.2, 6.3). Do you really get multiple field values from your query when you run the search in Verbose mode?

0 Karma
Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

Yes, Verbose mode works fine, and I've been using this in a dashboard that now suddenly has stopped working.

0 Karma
Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

SplunkTrust
SplunkTrust

That is really strange. Would you be able to share a screenshot with results of query in verbose mode something like this?

index=test please_extract_me| head 2
 | rex "(?<my_field>.*)_extract_me"
 | rex "please_(?<my_field>.*)_me"
 | rex "please_extract_(?<my_field>.*)"
 | table my_field

AFAIK, The dashboards queries are run in fast mode, so wonder it ever worked.

0 Karma
Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

SplunkTrust
SplunkTrust

That's not my understanding of how it ever worked... so if it DOES work in verbose mode, that is probably a bug in verbose mode. Each rex should overwrite the field... I have rexes in production that assume this, and that are working as designed.

0 Karma
Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

But I know for a fact that it has actually worked before, since I've built functioning dashboards around this behavior, that now don't work any longer.

And again, adding fields * after the multiple rex commands makes it work, which to me doesn't make sense.

0 Karma
Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

Esteemed Legend

A later failed-to-match rex has never overwritten an earlier succeeded-to-mach rex, in my experience. Perhaps this is what he means (that a later null-match is clearing an earlier match).

0 Karma
Highlighted

Re: Multiple rex commands no longer works in Fast/Smart mode?

Explorer

Did you try use one ony rex command?

...
| rex field=_raw "(?P<field1>[^_])_(?P<field2>[^_])_(?P<field3>.*)"
0 Karma