Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Problem with rex not doing anything at all, no...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to extract the string after the first space, so for ex. I need to extract:
"02-main-menu" for the first record and "02-world" for the second record below. However, since I can't get the rex work, I thought I just test rex with a simplest format and see what it does, adn sure enough, it seems it doesn't do anything!
| inputlookup bwCustomerTransMovesByFlow_20130213-15.csv | fields move1 | eval c=mvcount(move1) | rex field=move1 "(?<mytest>)"
_time move1 c mytest
2/13/14 5:34:04.000 AM 01-ios 02-main-menu 1
2/13/14 12:51:13.000 AM 01-ios 02-world 1
Just to be sure that the field move1 is not being a multivalue Idid the mvcount(move1) and it returns 1 for all. I also tried doing "nomv move1" which did not make any difference.
The data in the inputlookup is generated as following:
....| | transaction CUSTOMER_KEY connected=t mvlist=t keepevicted=t keeporphans=t | eval move1=mvindex(this_move2,0,1) | .... | makemv delim="," move1 |..... | sort 0 CUSTOMER_KEY | outputlookup bwCustomerTransMovesByFlow_20130213-15.csv
btw, I forgot to take out "makemv delim="," move1", but it didn't do anything anyway I think becasue it did ot insert "," anywhere. Besides, nomv supposedly should undo it.
Apreciate a quick repsonse. I am stuck!
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)" you're not including anything to capture in your matching group, and so nothing will be captured either.
The simplest form to try out would be a matching group with .+ ("read all characters from input", more or less), so in your case you would do:
... | rex field=move1 "(?<mytest>.+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)" you're not including anything to capture in your matching group, and so nothing will be captured either.
The simplest form to try out would be a matching group with .+ ("read all characters from input", more or less), so in your case you would do:
... | rex field=move1 "(?<mytest>.+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Isn't . (dot) mean any character except new line? When I use the above regex for
move1="01-ios 02-main-menu"
it returns "01-ios" for mytest. How does it know that it should stop at the space?
I am trying to come up with the regex that would actually return the part after the last white space (in this ex. "02-main-menu".
Appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works. Many thanks for your quick response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with this...
rex field=move1 "^(?<mytest>\w+$)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it doesn't work. it returns null for mytest.
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
