Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multiple rex expressions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to write to write a search to extract a couple of fields using rex. The text string to search is:
"SG:G006 Consumer:CG-900004_T01 Topic:ingressTopic Session: bc77465b-55fb-46bf-8ca1-571d1ce6d5c5 LatestOffset:1916164 EarliestOffset:0 CurrentOffset:1916163 MessagesToConsume:2"
I trying the following but nothing gets returned:
index=... | rex "MessagesToConsume:(?P<MessagesToConsume>\d+) CurrentOffset:(?P<CurrentOffset>\d+)" | where MessagesToConsume>1 | table CurrentOffset MessagesToConsume
CurrentOffset and MessagesToConsume are always empty, what am I doing wrong?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @subspacefield ,
if that is exactly how you have in your search then there are 2 issues.
- for rex - you need to tell it what to look at:
- Rex works as you would read something - when extracting you need to extract in the order things appear in the data.
Yours rex command:
| rex "MessagesToConsume:(?P<MessagesToConsume>\d+) CurrentOffset:(?P<CurrentOffset>\d+)"
Corrected rex command:
| rex field=_raw "CurrentOffset:(?P<CurrentOffset>\d+) MessagesToConsume:(?P<MessagesToConsume>\d+)"
When working with issue like this, regex101.com is your best friend:
https://regex101.com/r/4CkJF0/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @subspacefield ,
if that is exactly how you have in your search then there are 2 issues.
- for rex - you need to tell it what to look at:
- Rex works as you would read something - when extracting you need to extract in the order things appear in the data.
Yours rex command:
| rex "MessagesToConsume:(?P<MessagesToConsume>\d+) CurrentOffset:(?P<CurrentOffset>\d+)"
Corrected rex command:
| rex field=_raw "CurrentOffset:(?P<CurrentOffset>\d+) MessagesToConsume:(?P<MessagesToConsume>\d+)"
When working with issue like this, regex101.com is your best friend:
https://regex101.com/r/4CkJF0/1
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
