Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex command causing the search to not work - unknown search command

ssjabid
Explorer
‎09-18-2019 04:22 AM

Hi People,

I am trying to run a regex command to cut out a part of the REQ field,
On regex 101 it is working fine, however on Splunk it is causing problems and i get an unknown search command error

Here is the query i am using, 

index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST" 
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page

I do not want the regex command to cut out pages with numbers in them, so i've included [^0-9] in there which works on regex 101 but Splunk does not like it, even when i use a backslash to block it out but it still doesn't pull out the data,

I've also tried using 

index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST" 
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?<page>[a-zA-Z_]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page

but this gives me the unknown search command :a error

Any help would be greatly appreciated,
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2019 05:19 AM

Hi ssjabid,
did you tried with quotes in rex command?

| rex "REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\""

Optiion field=_raw isn't important.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

janispelss
Path Finder
‎09-18-2019 05:47 AM

The rex command requires quotation marks around the regex expression.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Required_arguments

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2019 05:19 AM

Hi ssjabid,
did you tried with quotes in rex command?

| rex "REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\""

Optiion field=_raw isn't important.

Bye.
Giuseppe

Reply
Solved! Jump to solution

ssjabid
Explorer
‎09-18-2019 08:01 AM

Managed to get it working 🙂 this did help! thank you!

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-18-2019 04:42 AM

@ssjabid

Can you please share sample data???

0 Karma
Reply
Solved! Jump to solution

ssjabid
Explorer
‎09-18-2019 04:47 AM

REQ="././././switches" EVC="EVT_TRACE" EID="securityfilter.request" DIP="" CLS="" 4ReqURI="///*/api/v1/switches"

so i am trying to capture the switches part in REQ however sometimes when a log appears with a number would appear instead, i would like to ignore that, but [^0-9] doesn't happen to work

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...