Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I getting "Error in 'rex' command...Reg...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker1981
Path Finder
09-09-2015
08:02 AM
Hello All,
I am brand new to Splunk and can't for the life of me figure out what I am doing wrong. I would like to pull the following data from raw text (about 10 lines of so of raw text), extract to a new field and then replace data in that field from paren number paren with a period. So (number) with .
Sample data
(1)dkfj(10)dkeiieii(2)ljflkkldj(3)
(2)datadata(1)dta(10)dat(2)
(8)sample(3)sample(0)
I am using the following command in Splunk, but when I try to display the results, I get blank data:
tag=unencoded | rex "(?<formatEncode>(\(\d+\))(\w+\(\d+\))+\w+(\(\d+\))" | rex mode=sed field=formatEncode "s/([0-9])/./g" | stats by formatEncode
I tested the regex and the sed substitution and both work just fine. I get the following error when I try to run it in Splunk:
Error in 'rex' command: Encountered the following error while compiling the regex '(?<formatEncode<(\(\d+\))(\w+\(\d+\))+\w+(\(\d+\))': Regex: missing )
Any help or pointer would be greatly appreciated.
Thanks in advance.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkoops
Path Finder
09-09-2015
08:16 AM
Looks like you are missing a bracket at the end of your first rex command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-09-2015
08:39 AM
I'm assuming your sample data in question is showing data to be extracted from 3 different events.
You Sample data has variable number of strings (enclosed between numbers). Is that correct? Could you post full raw event as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkoops
Path Finder
09-09-2015
08:16 AM
Looks like you are missing a bracket at the end of your first rex command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker1981
Path Finder
09-09-2015
08:44 AM
Actually that was the issue, thanks.
For those trying to do something similar here is the command I used
rex "(?(\(\d+\))([A-Za-z0-9_\-]+\(\d+\))+\w+(\(\d+\)))" | rex mode=sed field=formatEncode "s/\([0-9]\)/./g" | stats by formatEncode
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
