Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to extract value and receiving error message

shwetamis
Explorer
‎11-21-2019 09:24 AM

What am I doing wrong here??

index=du sourcetype="du:sbaservice-log"  du_service="dugovt4.0"  "ERROR=" | rex field=_raw "INFO\=\>CaseFileID\s+(?.*)" | rex field=_raw "INFO\=>Envelope\\InstID\s\=\s(?instID>\d+)"| rex field=_raw "lenderCaseNo\s\[(?\d+)\]" | rex field=_raw "Originating\sID\:\s+(?\S+)" | rex field=_raw "SBA\sCommand\:\s+(?\S+)" | rex field=_raw "Host\:\s+(?\S+)" | rex field=_raw " Base\sGUID\:\s+(?\S+)" | eval BTime = strptime(Begin_time, "%H:%M:%S.%3N")  | eval CTime = strptime(Completion_time, "%H:%M:%S.%3N")  | eval ResTime=CTime-BTime

Also, I am not getting the value of CASEFILEID data.

I get an error:

-Error in 'rex' command: Encountered the following error while compiling the regex 'INFO\=>Envelope\InstID\s\=\s(?instID>\d+)': Regex: unrecognized character follows \.

DATA:
11/21/2019 12:22:01.817 INFO=>Executing workflow...
11/21/2019 12:22:01.817 INFO=>CaseFileID 1427667459
11/21/2019 12:22:01.817 INFO=>Creating task 1003ToCLDF
11/21/2019 12:22:01.818 INFO=>Envelope InstID = 12006

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wenthold
Communicator
‎11-21-2019 10:04 AM

Update: Fixed a typo

It's hard to tell since your example isn't in a code block, but try this:

| rex field=_raw "INFO=>CaseFileID\s*(?<CaseFileID>\d+)"
| rex field=_raw "INFO=>Envelope InstID\s*=\s*(?<instID>\d+)"

You don't have to escape all the characters, and I think the rex issue is that you have a "\" instead of maybe "\s" and in your field capture you didn't have the opening character "<" - (?instID>\d+) should be (?<instID>\d+)

View solution in original post

Reply
Solved! Jump to solution
Solution

wenthold
Communicator
‎11-21-2019 10:04 AM

Update: Fixed a typo

It's hard to tell since your example isn't in a code block, but try this:

| rex field=_raw "INFO=>CaseFileID\s*(?<CaseFileID>\d+)"
| rex field=_raw "INFO=>Envelope InstID\s*=\s*(?<instID>\d+)"

You don't have to escape all the characters, and I think the rex issue is that you have a "\" instead of maybe "\s" and in your field capture you didn't have the opening character "<" - (?instID>\d+) should be (?<instID>\d+)

Reply
Solved! Jump to solution

shwetamis
Explorer
‎11-21-2019 10:09 AM

That worked 🙂 thank you so much

0 Karma
Reply
Solved! Jump to solution

wenthold
Communicator
‎11-21-2019 10:10 AM

you're welcome, glad it helped!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out &gt;&gt; Kudos to all the ...