Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I receiving an error in 'rex' command?

khairilfirza
Explorer
‎07-12-2018 12:46 AM

Hi team, I want to ask:
I cannot do extract new field and its show this error.

Error in 'rex' command: The regex 'Telco' does not extract anything. It should specify at least one named group. Format: (?...).

Before this my Telco was display on the selected field, but somehow it missing, and after that I cannot extract a new field.

Can you help me? Please

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-12-2018 02:07 AM

I'm assuming your search looks like this:

 ... | rex "telco"

Like the error message says, you must put in a named capturing group so that Splunk knows what name to give your new field. For example, if you want to call that field "myField", your regex would look like this:

...| rex "(?<myField>telco)"

View solution in original post

Reply
Solved! Jump to solution

premraj_vs
Path Finder
‎01-24-2019 07:29 PM

I had the same issue and after trying many complex solutions, the simple solution that worked for me is removing the space after field in rex command.

| rex field=_raw ".+\[(?P<ActionResponseandType>.+)]\s
0 Karma
Reply
Solved! Jump to solution

khairilfirza
Explorer
‎07-12-2018 02:18 AM

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

j_cabanillas
Explorer
‎07-20-2018 10:51 AM

try * source="/var/log/va-router/vpn/vpn.log" | rex field=_raw "(?telco)"

Reply
Solved! Jump to solution

khairilfirza
Explorer
‎07-22-2018 07:17 PM

it display this error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?telco)': Regex: unrecognized character after (? or (?-

0 Karma
Reply
Solved! Jump to solution

j_cabanillas
Explorer
‎07-23-2018 07:24 AM

could you add a log example where the Telco words is in ?

0 Karma
Reply
Solved! Jump to solution

j_cabanillas
Explorer
‎07-23-2018 08:10 AM

So the in telco its provide information like Maxis , Digi, and Celcom. So when click on the telco it will display this field. But some how the telco is missing in this field from this search (* source="/var/log/va-router/vpn/vpn.log").

SO Maxis, Digi, Celcom are telecomunication service providers right? As jplumsdaine22 says , that data is not showing on your logs ,at least not in the one you showed us on the picture.

If that data is not part of the logs it means there must be a lookup for that data that someone created to associated part of the log to each provider.

For example:
The lookup could associate using VPN-SA01XXXX to Digi and VPN-CB01XXXXX to Celcom.
It could also be associated to external IPs, but I don't see external IPs in your logs

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-12-2018 02:07 AM

I'm assuming your search looks like this:

 ... | rex "telco"

Like the error message says, you must put in a named capturing group so that Splunk knows what name to give your new field. For example, if you want to call that field "myField", your regex would look like this:

...| rex "(?<myField>telco)"
Reply
Solved! Jump to solution

khairilfirza
Explorer
‎07-12-2018 02:18 AM 
![* source="/var/log/va-router/vpn/vpn.log" | rex "(?<Telco>telco)"][1]

I'm sorry, I dont know how to do this one, before this my telco is display on the selected field and interesting field.

Now I dont how to find the telco.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-12-2018 02:32 AM

So the regex I have there will create a field called Telco with the value 'telco', if the event contains the string telco. This is unlikely to be what you want. Can you perhaps describe your search in more general terms?

Reply
Solved! Jump to solution

khairilfirza
Explorer
‎07-12-2018 02:52 AM
  • source="/var/log/va-router/vpn/vpn.log"

This is the search i used for visualize data. In this search usually I got my telco in the field.
So the in telco its provide information like Maxis , Digi, and Celcom.
So when click on the telco it will display this field. But some how the telco is missing in this field from this search (* source="/var/log/va-router/vpn/vpn.log").

And because that "telco" field is missing I face the problem to extract the new field and show rex error.

Hope you understand

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-12-2018 03:06 AM

OK - I don't see any of those terms in your data, so I'm not sure if they are a field extraction or a lookup. It may be that someone made a lookup for the data and it has broken somehow. Have you contacted your Splunk admin?

Reply
Solved! Jump to solution

493669
Super Champion
‎07-12-2018 02:06 AM

alt text

once you type your query select the query first and click 1010110 (above) button - like below
rex "(?.*)"

Preview file
1 KB
Reply
Solved! Jump to solution

493669
Super Champion
‎07-12-2018 01:34 AM

can you provide your regex query using 101010 button so that no special character get escape

Reply
Solved! Jump to solution

khairilfirza
Explorer
‎07-12-2018 02:00 AM

can i know where should i put 101010?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...