Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex query

harishnpandey
Explorer
‎07-18-2017 01:57 PM

For below input I tried search query as

index=myindex "Notification"|rex "(MQ) (?\d+) = (?\w+)"|stats count(Notification)
However, its not working says "no result found". The moment I take off ==> stats count(Notification)
it shows values

Input:
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = EMAIL
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = SMS
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = VOICE
Output

Notification Type TypeCode
MQ EMAIL
MQ SMS
MQ VOICE

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-18-2017 02:22 PM

Okay, reading what I can read, i don't see why it would succeed.

Your rex is looking for a decimal number after (MQ) and before the =, which is not in your data.

Something like this should pull the two fields...

| rex "Notification Type \((?<NotifType>[^\)]*)\) = (?<TypeCode>\w+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-18-2017 02:22 PM

Okay, reading what I can read, i don't see why it would succeed.

Your rex is looking for a decimal number after (MQ) and before the =, which is not in your data.

Something like this should pull the two fields...

| rex "Notification Type \((?<NotifType>[^\)]*)\) = (?<TypeCode>\w+)"
0 Karma
Reply
Solved! Jump to solution

harishnpandey
Explorer
‎07-19-2017 04:01 AM

Thank you Jean. I figured out my mistake with your help 🙂

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-18-2017 02:07 PM

You query is truncated. Please edit the question to add the query again and ensure that you select the query and click on button "101010" OR press Ctrl+K to format the code (to retains all formatting/content). Do the same for your raw data and output

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...