Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to extract value and receiving error message

shwetamis
Explorer
‎11-21-2019 09:24 AM

What am I doing wrong here??

index=du sourcetype="du:sbaservice-log"  du_service="dugovt4.0"  "ERROR=" | rex field=_raw "INFO\=\>CaseFileID\s+(?.*)" | rex field=_raw "INFO\=>Envelope\\InstID\s\=\s(?instID>\d+)"| rex field=_raw "lenderCaseNo\s\[(?\d+)\]" | rex field=_raw "Originating\sID\:\s+(?\S+)" | rex field=_raw "SBA\sCommand\:\s+(?\S+)" | rex field=_raw "Host\:\s+(?\S+)" | rex field=_raw " Base\sGUID\:\s+(?\S+)" | eval BTime = strptime(Begin_time, "%H:%M:%S.%3N")  | eval CTime = strptime(Completion_time, "%H:%M:%S.%3N")  | eval ResTime=CTime-BTime

Also, I am not getting the value of CASEFILEID data.

I get an error:

-Error in 'rex' command: Encountered the following error while compiling the regex 'INFO\=>Envelope\InstID\s\=\s(?instID>\d+)': Regex: unrecognized character follows \.

DATA:
11/21/2019 12:22:01.817 INFO=>Executing workflow...
11/21/2019 12:22:01.817 INFO=>CaseFileID 1427667459
11/21/2019 12:22:01.817 INFO=>Creating task 1003ToCLDF
11/21/2019 12:22:01.818 INFO=>Envelope InstID = 12006

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wenthold
Communicator
‎11-21-2019 10:04 AM

Update: Fixed a typo

It's hard to tell since your example isn't in a code block, but try this:

| rex field=_raw "INFO=>CaseFileID\s*(?<CaseFileID>\d+)"
| rex field=_raw "INFO=>Envelope InstID\s*=\s*(?<instID>\d+)"

You don't have to escape all the characters, and I think the rex issue is that you have a "\" instead of maybe "\s" and in your field capture you didn't have the opening character "<" - (?instID>\d+) should be (?<instID>\d+)

View solution in original post

Reply
Solved! Jump to solution
Solution

wenthold
Communicator
‎11-21-2019 10:04 AM

Update: Fixed a typo

It's hard to tell since your example isn't in a code block, but try this:

| rex field=_raw "INFO=>CaseFileID\s*(?<CaseFileID>\d+)"
| rex field=_raw "INFO=>Envelope InstID\s*=\s*(?<instID>\d+)"

You don't have to escape all the characters, and I think the rex issue is that you have a "\" instead of maybe "\s" and in your field capture you didn't have the opening character "<" - (?instID>\d+) should be (?<instID>\d+)

Reply
Solved! Jump to solution

shwetamis
Explorer
‎11-21-2019 10:09 AM

That worked 🙂 thank you so much

0 Karma
Reply
Solved! Jump to solution

wenthold
Communicator
‎11-21-2019 10:10 AM

you're welcome, glad it helped!

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...