Splunk Search
Highlighted

Regex Error

Explorer

Hi,

I am trying to use simple regex to find clients with specific IPs. My regex looks like

status=404 | regex host=*10.\d\d\d.\d\d\d.\d\d\d*

When I run the search in splunk it gives me error which looks like -

Error in 'SearchOperator:regex': The regex '*10.\d\d\d.\d\d\d.\d\d\d*' is invalid. nothing to repeat.

I am completely new to splunk. So, any help is appreciated.

Thanks,

Rahil

Tags (3)
Highlighted

Re: Regex Error

Communicator

Your problem might be that you didnt escape the dots(.) in your regular expression. Try this:

 | regex host="10\.\d+\.\d+\.\d+"

View solution in original post

0 Karma
Highlighted

Re: Regex Error

Explorer

Thanks for the help. I just copied the text from Splunk User Manual but didn't know that I need to escape the dots.

Thanks again for you help. 🙂

0 Karma
Highlighted

Re: Regex Error

Communicator

No problem! Glad to help 🙂

0 Karma
Highlighted

Re: Regex Error

SplunkTrust
SplunkTrust

Depending on what you're trying to do you might be better off just searching for the IP addresses than using regex command. status="404" host="10.*"

0 Karma
Highlighted

Re: Regex Error

Explorer

The prior poster gave good advice about an additional problem. The particular error shown, "nothing to repeat", was referring to the use of an asterisk as the first character. The asterisk means "zero or more of the preceding token" (e.g. the most recent discrete thing just to the left of the asterisk). Because the given regex started with an asterisk, Splunk threw an error because there was nothing to the left of the asterisk to repeat.