Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I am receiving an error in 'rex' command?

Sureshp191
Explorer
‎06-14-2023 12:29 PM

Snag_9c06d92.pngI am trying to use a similar splunk query:

index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"

| rex "(?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*,"
| stats count BY TradingSymbol(s), Elapsed

I wanted to get them in a table as
Date,  PortfolioSymbol(s),  ElapsedTime

When I try to run it, I get the error 
Error in 'rex' command: The regex '(?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*,' does not extract anything. It should specify at least one named group. Format: (?<name>...).

When I try the same in regexr.com, for the below output, (?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*, able to highlight 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9,

RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658

Please help, Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎06-14-2023 08:17 PM

Hi @Sureshp191 

Here's a run anywhere example from the example data provided... 

| makeresults
| eval raw="RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658
RefreshAsyncjronized  End, TradingSymbol(s): 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, 2AC5, ElapsedTime: 15.3762658"
| eval raw=split(raw, "
")
| mvexpand raw
| rename raw AS _raw
  ``` the above is just creating dummy events to test the following SPL code with ```
| rex "TradingSymbol\(s\): (?<TradingSymbol>.+?), ElapsedTime: (?<ElapsedTime>[^\s]+)"
| stats values(ElapsedTime) AS ElapsedTime BY _time TradingSymbol
| rename TradingSymbol AS PortfolioSymbol(s)

 Note, using _time instead of Date is useful as the UI formats into a human readable form.  If it must be Date  then you cannot simply rename _time as Date as the Date will appear as an epoch seconds integer value. You'll need to do reformat time using eval and strftime() functions.  Basically, just stick with using _time instead.


 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎06-14-2023 08:17 PM

Hi @Sureshp191 

Here's a run anywhere example from the example data provided... 

| makeresults
| eval raw="RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658
RefreshAsyncjronized  End, TradingSymbol(s): 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, 2AC5, ElapsedTime: 15.3762658"
| eval raw=split(raw, "
")
| mvexpand raw
| rename raw AS _raw
  ``` the above is just creating dummy events to test the following SPL code with ```
| rex "TradingSymbol\(s\): (?<TradingSymbol>.+?), ElapsedTime: (?<ElapsedTime>[^\s]+)"
| stats values(ElapsedTime) AS ElapsedTime BY _time TradingSymbol
| rename TradingSymbol AS PortfolioSymbol(s)

 Note, using _time instead of Date is useful as the UI formats into a human readable form.  If it must be Date  then you cannot simply rename _time as Date as the Date will appear as an epoch seconds integer value. You'll need to do reformat time using eval and strftime() functions.  Basically, just stick with using _time instead.


 

Tags (1)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2023 02:04 PM

The error message clearly (IMO) says what the problem is - you don't have a named capture group in the rex command.  Fix that.  Also, avoid lookbehind - a simple TradingSymbol\(s): is sufficient.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Sureshp191
Explorer
‎06-14-2023 08:05 PM

@richgalloway 

Thanks for the help, I tried 
index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"
| rex field=_raw "TradingSymbol\(s\): (?<TradingSymbols>[^,]+), ElapsedTime: (?<ElapsedTime>[^ ]+)"

| table TradingSymbols, Elapsed

Even though I see around 20 plus events but on the Statics tab its zero:

output of msg.result.message on the events tab is:
RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658

On the Statics tab I wanted to show as below
TradingSymbols                                                                                                          ElapsedTime

2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9,                       12.3762658

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Sureshp191
Explorer
‎06-14-2023 02:33 PM

Thanks for the reply, I tried the below one, I am not getting an error but Statistics output is 0

index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"

| rex field =msg.result.message  "TradingSymbol(s):  (?<TradingSymbol>[^\"]*)  ElapsedTime:  (?<ElapsedTime>[^\"]*)"
| stats count BY TradingSymbol ElapsedTime

If I give only the "ElapsedTime: (?<ElapsedTime>[^\"]*)" I am able to see the required output in the Statistics tab but having the two as above, Statistics output is 0

I am new to regex, please help to resolve this:

msg.result.message is 

RefreshAsyncjronized  End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6,  TEST-2BA9, ElapsedTime: 12.3762658

on the Statistics page, I want to display.
TradingSymbol  ElapsedTime

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...