Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I am receiving an error in 'rex' command?

Sureshp191
Explorer
‎06-14-2023 12:29 PM

Snag_9c06d92.pngI am trying to use a similar splunk query:

index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"

| rex "(?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*,"
| stats count BY TradingSymbol(s), Elapsed

I wanted to get them in a table as
Date,  PortfolioSymbol(s),  ElapsedTime

When I try to run it, I get the error 
Error in 'rex' command: The regex '(?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*,' does not extract anything. It should specify at least one named group. Format: (?<name>...).

When I try the same in regexr.com, for the below output, (?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*, able to highlight 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9,

RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658

Please help, Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎06-14-2023 08:17 PM

Hi @Sureshp191 

Here's a run anywhere example from the example data provided... 

| makeresults
| eval raw="RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658
RefreshAsyncjronized  End, TradingSymbol(s): 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, 2AC5, ElapsedTime: 15.3762658"
| eval raw=split(raw, "
")
| mvexpand raw
| rename raw AS _raw
  ``` the above is just creating dummy events to test the following SPL code with ```
| rex "TradingSymbol\(s\): (?<TradingSymbol>.+?), ElapsedTime: (?<ElapsedTime>[^\s]+)"
| stats values(ElapsedTime) AS ElapsedTime BY _time TradingSymbol
| rename TradingSymbol AS PortfolioSymbol(s)

 Note, using _time instead of Date is useful as the UI formats into a human readable form.  If it must be Date  then you cannot simply rename _time as Date as the Date will appear as an epoch seconds integer value. You'll need to do reformat time using eval and strftime() functions.  Basically, just stick with using _time instead.


 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎06-14-2023 08:17 PM

Hi @Sureshp191 

Here's a run anywhere example from the example data provided... 

| makeresults
| eval raw="RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658
RefreshAsyncjronized  End, TradingSymbol(s): 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, 2AC5, ElapsedTime: 15.3762658"
| eval raw=split(raw, "
")
| mvexpand raw
| rename raw AS _raw
  ``` the above is just creating dummy events to test the following SPL code with ```
| rex "TradingSymbol\(s\): (?<TradingSymbol>.+?), ElapsedTime: (?<ElapsedTime>[^\s]+)"
| stats values(ElapsedTime) AS ElapsedTime BY _time TradingSymbol
| rename TradingSymbol AS PortfolioSymbol(s)

 Note, using _time instead of Date is useful as the UI formats into a human readable form.  If it must be Date  then you cannot simply rename _time as Date as the Date will appear as an epoch seconds integer value. You'll need to do reformat time using eval and strftime() functions.  Basically, just stick with using _time instead.


 

Tags (1)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2023 02:04 PM

The error message clearly (IMO) says what the problem is - you don't have a named capture group in the rex command.  Fix that.  Also, avoid lookbehind - a simple TradingSymbol\(s): is sufficient.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Sureshp191
Explorer
‎06-14-2023 08:05 PM

@richgalloway 

Thanks for the help, I tried 
index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"
| rex field=_raw "TradingSymbol\(s\): (?<TradingSymbols>[^,]+), ElapsedTime: (?<ElapsedTime>[^ ]+)"

| table TradingSymbols, Elapsed

Even though I see around 20 plus events but on the Statics tab its zero:

output of msg.result.message on the events tab is:
RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658

On the Statics tab I wanted to show as below
TradingSymbols                                                                                                          ElapsedTime

2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9,                       12.3762658

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Sureshp191
Explorer
‎06-14-2023 02:33 PM

Thanks for the reply, I tried the below one, I am not getting an error but Statistics output is 0

index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"

| rex field =msg.result.message  "TradingSymbol(s):  (?<TradingSymbol>[^\"]*)  ElapsedTime:  (?<ElapsedTime>[^\"]*)"
| stats count BY TradingSymbol ElapsedTime

If I give only the "ElapsedTime: (?<ElapsedTime>[^\"]*)" I am able to see the required output in the Statistics tab but having the two as above, Statistics output is 0

I am new to regex, please help to resolve this:

msg.result.message is 

RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658

on the Statistics page, I want to display.
TradingSymbol  ElapsedTime

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...