Splunk Search

Simple rex works on REGEX101 but not in splunk.

Path Finder

Hey so I have a list of of values, that need to be standardized. The values I'm need to transform look like this:

I need to trim the values to just have their proper pool names (Pool1). Here is the SPL
MySearch|rex mode=sed field="Field1" s/"(-dp)|(_MSDP)" but, when I run it in my instance I keep getting errors like this one.

Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace.

I've spent about 4 hours trying to figure this out and I jut cant seem to do it. I wrote the REX in regex101, and it works there with no problem there. I did a bunch of googling and I tried most of the posts here at splunk answers, any help would be very appreciated.
Disclaimer I do not have access to the server where the instance is hosted, just the instance itself.

0 Karma


Your rex command may have been mangled by the forum (use backtics to prevent that), but it looks like the sed command is incomplete. There needs to be three delimiters: the first two enclose the expression to find and the second two enclose the replacement expression. Try this: rex mode=sed field="Field1" "s/(-dp)|(_MSDP)//".

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...