Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why doesn't my rex code work?

JBlackberg
Engager
‎02-16-2023 02:12 PM

Very strange scenario. I'll use a rex statement to retrieve data and it works perfectly. If I copy and paste the rex command that Splunk used (Copied from Job Inspector) it does not work. I'll receive an error.

An actual snippet of raw data that I've used as an example in my erex statement. The data in bold is what went into my example. "usbProtocol":1,"deviceName":"Canon Digital Camera","vendorName":"Canon Inc.",

And the job inspector spat out the following:

| rex "(?i)\"deviceName\\\":\\\"(?P<Device>[^\\]+)"

And the data looked perfect, like so;

Canon Digital Camera

 

But if I use that rex statement spat out by the Job Inspector in my search Splunk says nay nay;

The error in Splunk received was "Error in 'rex' command: Encountered the following error while compiling the regex '(?i)"deviceName\":\"(?P<Device>[^\]+)': Regex: missing terminating ] for character class."

 

I reached out to a coworker that provided | rex ".*deviceName(?<Model>.*?),"

And it works to a degree, but includes characters that I'd rather not see in my data. Actual example of what is spat out;

\":\"Canon Digital Camera\"

Just also mentioning this in case it matters - where there is no data available/null within the "deviceName" raw data, it will show like this;

\":\"\"

I'd really appreciate some guidance with my regex code. I've been delving into this lately, used many training materials, but can't seem to figure this one out?!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-21-2023 08:12 AM

Perhaps your real events aren't close enough to your example. For example, if you have (unshown) spaces in your real events, this might work better for you

| rex "(?i)\"deviceName\"\s*:\s*\"(?P<Device>[^\"]+)"

Alternatively, if that doesn't work, please share real but anonymised examples, preferably in a code block </> to preserve any formatting there might be.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎02-16-2023 07:15 PM

Assuming the raw data has that exact syntax

| rex "(?i)\"deviceName\":\"(?P<Device>[^\"]+)"

Not sure why all the \\\ characters in your example, but as for escaping characters in the Splunk search, you need to escape " character, hence the \" sequences.

Then having found the starting " for the device, you want to search for everything up to the next " quote character [^\"]

The error you are getting is because [^\] is escaping the ] character. Using [^\\] is also insufficient as the \ to escape a \ needs to be doubled, so [^\\\] is valid, but not useful in your case. You simply want to search up to the next ", hence [^\"]+

0 Karma
Reply
Solved! Jump to solution

JBlackberg
Engager
‎02-21-2023 08:02 AM

Thank you, I learned much from the information that you posted. Whenever I make those changes within my search, the results now show nothing/blank. 🤔 I've gotten other data to work correctly with rex and erex examples to spout search code that works successfully. This one is starting to make me curse.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-21-2023 08:12 AM

Perhaps your real events aren't close enough to your example. For example, if you have (unshown) spaces in your real events, this might work better for you

| rex "(?i)\"deviceName\"\s*:\s*\"(?P<Device>[^\"]+)"

Alternatively, if that doesn't work, please share real but anonymised examples, preferably in a code block </> to preserve any formatting there might be.

0 Karma
Reply
Solved! Jump to solution

JBlackberg
Engager
‎02-22-2023 06:29 AM

Thank you so much - that did the trick. And thanks for the heads up on adding my examples in code block; I'll do so next time so not to cause confusion.

Are there good resources that you recommend outside of Splunk documentation that I can continue to learn about regex? Teach a man to fish...

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-22-2023 07:29 AM

regex101.com is a good place to test regex and it gives an explanation of what your regex means. However, it should be noted the Splunk sometimes requires extra backslashes when they are escaped in expressions.

Also, www.regegg.com has some good explanations.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...