Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting "Error in 'rex' command...Regex: missing )"?

splunker1981
Path Finder
‎09-09-2015 08:02 AM

Hello All,

I am brand new to Splunk and can't for the life of me figure out what I am doing wrong. I would like to pull the following data from raw text (about 10 lines of so of raw text), extract to a new field and then replace data in that field from paren number paren with a period. So (number) with . 

Sample data
(1)dkfj(10)dkeiieii(2)ljflkkldj(3)
(2)datadata(1)dta(10)dat(2)
(8)sample(3)sample(0)

I am using the following command in Splunk, but when I try to display the results, I get blank data: 

tag=unencoded | rex "(?<formatEncode>(\(\d+\))(\w+\(\d+\))+\w+(\(\d+\))" | rex mode=sed field=formatEncode "s/([0-9])/./g"  | stats by formatEncode

I tested the regex and the sed substitution and both work just fine. I get the following error when I try to run it in Splunk:

Error in 'rex' command: Encountered the following error while compiling the regex '(?<formatEncode<(\(\d+\))(\w+\(\d+\))+\w+(\(\d+\))': Regex: missing )

Any help or pointer would be greatly appreciated.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dkoops
Path Finder
‎09-09-2015 08:16 AM

Looks like you are missing a bracket at the end of your first rex command.

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-09-2015 08:39 AM

I'm assuming your sample data in question is showing data to be extracted from 3 different events.
You Sample data has variable number of strings (enclosed between numbers). Is that correct? Could you post full raw event as well?

0 Karma
Reply
Solved! Jump to solution
Solution

dkoops
Path Finder
‎09-09-2015 08:16 AM

Looks like you are missing a bracket at the end of your first rex command.

Reply
Solved! Jump to solution

splunker1981
Path Finder
‎09-09-2015 08:44 AM

Actually that was the issue, thanks.

For those trying to do something similar here is the command I used 

rex "(?(\(\d+\))([A-Za-z0-9_\-]+\(\d+\))+\w+(\(\d+\)))" | rex mode=sed field=formatEncode "s/\([0-9]\)/./g" | stats by formatEncode
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...