Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Problem with a regular expression in rex

bfay
Explorer
โ€Ž05-12-2011 05:58 AM

I have a weird problem with the rex command on splunk version 4.2.1. This is the rex I use with a timeframe of Previous month: 

... | rex "FROM \"dbo\"\.\"(?<table>[a-zA-Z_]*)\"" | top table

This return 10 tables while I should have 27. Splunk is installed on a Linux server so I used grep on the log files for the month of April and found 27 tables.

Splunk found the tables in the following log entries:

... FROM "dbo"."AUTOP" ...
... FROM "dbo"."DECES_MSSS" ...
... FROM "dbo"."INDV" ...
... FROM "dbo"."INDV_ANAL" ...
... FROM "dbo"."MED_SEJ_HOSP" ...
... FROM "dbo"."RESID" ...
... FROM "dbo"."SERV_MEDI" ...
... FROM "dbo"."V_CARDIO_SERV_MEDI" ...
... FROM "dbo"."V_DIABETE_SERV_MEDI" ...
... FROM "dbo"."V_MENTALDEMENCE_SERV_MEDI" ...

but skipped all the following table:

... FROM "dbo"."ADMI_ASSU_MALA" ...
... FROM "dbo"."ADMI_ASSU_MEDI" ...
... FROM "dbo"."CLAS_PROF" ...
... FROM "dbo"."DECOMPTE" ...
... FROM "dbo"."FUSI_SCIS" ...
... FROM "dbo"."INSC_PROF" ...
... FROM "dbo"."MED_SEJ_HOSP_CONS" ...
... FROM "dbo"."MED_SEJ_HOSP_INTRVN" ...
... FROM "dbo"."MED_SEJ_HOSP_SERV" ...
... FROM "dbo"."MED_SEJ_HOSP_SOIN_INTSF" ...
... FROM "dbo"."MED_SEJO_HOSP_DIAG" ...
... FROM "dbo"."PROV" ...
... FROM "dbo"."SERV_OPTO" ...
... FROM "dbo"."SERV_PHARM" ...
... FROM "dbo"."TERR" ...
... FROM "dbo"."V_ASTHME_SERV_MEDI" ...
... FROM "dbo"."V_MED_SEJ_HOSP_COURT_DUR" ...

This a pretty simple regular expression. What could be wrong with it?

Thanks,
Bernard

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
โ€Ž05-12-2011 06:56 AM

I would say your regular expression is fine. It's your use of "| top", which by default only shows the "top 10" results of the search. You can add a limit=xxx to top to expand how many results it shows.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
โ€Ž05-12-2011 06:56 AM

I would say your regular expression is fine. It's your use of "| top", which by default only shows the "top 10" results of the search. You can add a limit=xxx to top to expand how many results it shows.

View solution in original post

Reply