Splunk Search

Problem with rex not doing anything at all, not even in its simplest form!

fere
Path Finder

Hi,
I am trying to extract the string after the first space, so for ex. I need to extract:
"02-main-menu" for the first record and "02-world" for the second record below. However, since I can't get the rex work, I thought I just test rex with a simplest format and see what it does, adn sure enough, it seems it doesn't do anything!

| inputlookup bwCustomerTransMovesByFlow_20130213-15.csv | fields move1 | eval c=mvcount(move1) | rex field=move1 "(?<mytest>)"  
_time                           move1                   c   mytest
2/13/14 5:34:04.000 AM      01-ios 02-main-menu 1       
2/13/14 12:51:13.000 AM         01-ios 02-world         1   

Just to be sure that the field move1 is not being a multivalue Idid the mvcount(move1) and it returns 1 for all. I also tried doing "nomv move1" which did not make any difference.
The data in the inputlookup is generated as following:

....|  | transaction CUSTOMER_KEY  connected=t mvlist=t  keepevicted=t keeporphans=t  |   eval move1=mvindex(this_move2,0,1) | .... | makemv delim="," move1 |..... | sort 0 CUSTOMER_KEY | outputlookup bwCustomerTransMovesByFlow_20130213-15.csv

btw, I forgot to take out "makemv delim="," move1", but it didn't do anything anyway I think becasue it did ot insert "," anywhere. Besides, nomv supposedly should undo it.

Apreciate a quick repsonse. I am stuck!

Thanks

Tags (2)
1 Solution

Ayn
Legend

Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)" you're not including anything to capture in your matching group, and so nothing will be captured either.

The simplest form to try out would be a matching group with .+ ("read all characters from input", more or less), so in your case you would do:

... | rex field=move1 "(?<mytest>.+)"

View solution in original post

Ayn
Legend

Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)" you're not including anything to capture in your matching group, and so nothing will be captured either.

The simplest form to try out would be a matching group with .+ ("read all characters from input", more or less), so in your case you would do:

... | rex field=move1 "(?<mytest>.+)"

fere
Path Finder

Isn't . (dot) mean any character except new line? When I use the above regex for
move1="01-ios 02-main-menu"
it returns "01-ios" for mytest. How does it know that it should stop at the space?

I am trying to come up with the regex that would actually return the part after the last white space (in this ex. "02-main-menu".
Appreciate your help.

0 Karma

fere
Path Finder

It works. Many thanks for your quick response.

0 Karma

krish3
Contributor

Try with this...

rex field=move1 "^(?<mytest>\w+$)"
0 Karma

fere
Path Finder

it doesn't work. it returns null for mytest.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...