Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is "rex field" not producing results when used in an API call?

selsin
Engager
‎02-01-2017 01:23 PM

Search works correctly in Splunk Web:

index=xxxx | rex field=_raw "InvalidLogin\|NotFound\|(?<client>\w+)" | stats count by client

But using it in an API call returns nothing:

curl -u user:'password' -k https://localhost:8089/services/search/jobs/export -d search='search index=xxxx | rex field=_raw "InvalidLogin\|NotFound\|(?<client>\w+)" | stats count by client' -d output_mode=csv -d earliest_time="-1d" -d latest_time="-1m"

I can get other searches to execute correctly via API calls, and even other versions of this search that return multiple other fields. But if I ask it to return field "client" also, it always renders nothing for output.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎06-14-2017 07:15 AM

Have you tried specifying your search with --data-urlencode instead of -d (which doensn't URL encode). Your search contains a +, which I believe represents a space unless URL encoded.

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎06-14-2017 07:15 AM

Have you tried specifying your search with --data-urlencode instead of -d (which doensn't URL encode). Your search contains a +, which I believe represents a space unless URL encoded.

Reply
Solved! Jump to solution

selsin
Engager
‎06-14-2017 08:13 AM

That did it. Thanks!

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-01-2017 02:07 PM

Are there really asterisks in that regex around the word "client" in the two searches?

If asterisk-client-asterisk is a valid name, it needs to be used in the "by" clause as well as the rex.

0 Karma
Reply
Solved! Jump to solution

selsin
Engager
‎02-01-2017 03:06 PM

Corrected the above queries. They now show correctly.

0 Karma
Reply
Solved! Jump to solution

scott_cultuream
New Member
‎06-11-2017 06:17 AM

Were you able to figure this out? I'm having the same issue. rex doesn't seem to generate new fields when used in the API

0 Karma
Reply
Solved! Jump to solution

selsin
Engager
‎06-12-2017 07:03 AM

No was never able to get it to work. We ended up having to write a perl script to parse the output instead.

0 Karma
Reply
Solved! Jump to solution

scott_cultuream
New Member
‎06-12-2017 01:45 PM

I actually was able to make it work.

For some reason, the rex expression that I was using in the UI didn't work. But when I rewrote to be based off of _raw rather than another field, that did the trick. You have to write a more complex expression, but for me, it wasn't terrible.

0 Karma
Reply
Solved! Jump to solution

selsin
Engager
‎02-01-2017 02:39 PM

No, there are no asterisks. It is actually like this: (?<client>\w+)
When I was putting the question in, the preview window showed only (?\w+). So adding asterisks made it print in italics, but at least show correctly. Didn't know that once the question got approved and posted it would literally add the asterisks in.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...