Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why the error Error in 'rex' command while compiling the regex '\/home\/mysqld\/(?<D?

shruti14
Explorer
‎01-07-2023 06:10 AM

index=mysql sourcetype=audit_log earliest=1
| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"
| eval Database = coalesce(Database1,Database2)
| fields - Database1,Database2
| rex field=USER "(?<USER>[^\[]+)"
| rex mode=sed field=HOST "s/\.[a-z].*$//g"
| eval TIMESTAMP=strptime(TIMESTAMP, "%Y-%m-%dT%H:%M:%S UTC")
| where TIMESTAMP > now()-3600*24*90
| eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d")
| eval COMMAND_CLASS=if(isnull(COMMAND_CLASS) OR COMMAND_CLASS="", "NA", COMMAND_CLASS)
| eval HOST=if(isnull(HOST) OR HOST="", "NA", HOST)
| eval IP=if(isnull(IP) OR IP="", "NA", IP)
| eval Action=if(isnull(NAME) OR NAME="", "NA", NAME)
| eval STATUS=if(isnull(STATUS) OR STATUS="", "NA", STATUS)
| eval Query=if(isnull(SQLTEXT) OR SQLTEXT="", "NA", SQLTEXT)
| eval USER=if(isnull(USER) OR USER="", "NA", USER)
| stats count as Events by Database USER HOST IP COMMAND_CLASS Action STATUS Query TIMESTAMP
| lookup mysql_databases.csv DATABASE as Database OUTPUT APP_NAME
| eval APP_NAME=if(isnull(APP_NAME) OR APP_NAME="", "NA", APP_NAME)

 

and hence getting no output in search and reporting tab

Labels (2)
Labels
Tags (1)
0 Karma
Reply

shruti14
Explorer
‎01-07-2023 10:52 AM

Dashboard is simple xml but there also | rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/" not giving me result.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-07-2023 01:49 PM

The question is in which interface do you see "(?<Database1>.*)".  If you see them in the source editor, they should not cause any problem at all.  If you see them in panel editor, or worse, if you enter them into the search bar, they are plain wrong.

In case you are unfamiliar with Splunk's editor interfaces, whether you are using source editor or panel editor is determined by how you start the editing.  Here are some screenshots to show their differences.

This is the source editor

source-editor.png

This is the panel search editor

panel-editor.png

(Of course you know how the search bar look like.)

This is another interface that allows you to select which editor to use from the dashboard list.

editor-choice.png

Hope this  helps.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-07-2023 10:23 AM

Are you sure they are not supposed to be this?

| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"

 You use HTML entities in dashboard source (if dashboard is SimpleXML), but not in search line.

0 Karma
Reply

shruti14
Explorer
‎01-07-2023 06:15 AM

Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&lt;Database1&gt;.*)\/audit\/': Regex: syntax error in subpattern name (missing terminator).

 

0 Karma
Reply

shruti14
Explorer
‎01-08-2023 12:55 AM

I am using source editor

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-08-2023 01:36 AM

If you did copy from source editor, the search view (in panel editor) of the two lines should be as I printed above, i.e.,

| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"

These two lines are correct and do not cause the error in your question.  Can you show us the actual search code in search view (under panel editor)?

Or are you trying to copy from source editor into a search window?  Generally that will cause error if there are any characters  that needs to be presented as HTML entities in Simple XML, such as less-than sign (<) and greater-than sign (>) as is used in rex commands.  Simply put, do not copy code from source editor into search window.  If you need to copy something into search window, you must use the panel editor. (Or, outside of editor, use "Open in search" link (magnifying glass).)

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...