Splunk Search

Why the error Error in 'rex' command while compiling the regex '\/home\/mysqld\/(?<D?

shruti14
Explorer

index=mysql sourcetype=audit_log earliest=1
| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"
| eval Database = coalesce(Database1,Database2)
| fields - Database1,Database2
| rex field=USER "(?<USER>[^\[]+)"
| rex mode=sed field=HOST "s/\.[a-z].*$//g"
| eval TIMESTAMP=strptime(TIMESTAMP, "%Y-%m-%dT%H:%M:%S UTC")
| where TIMESTAMP > now()-3600*24*90
| eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d")
| eval COMMAND_CLASS=if(isnull(COMMAND_CLASS) OR COMMAND_CLASS="", "NA", COMMAND_CLASS)
| eval HOST=if(isnull(HOST) OR HOST="", "NA", HOST)
| eval IP=if(isnull(IP) OR IP="", "NA", IP)
| eval Action=if(isnull(NAME) OR NAME="", "NA", NAME)
| eval STATUS=if(isnull(STATUS) OR STATUS="", "NA", STATUS)
| eval Query=if(isnull(SQLTEXT) OR SQLTEXT="", "NA", SQLTEXT)
| eval USER=if(isnull(USER) OR USER="", "NA", USER)
| stats count as Events by Database USER HOST IP COMMAND_CLASS Action STATUS Query TIMESTAMP
| lookup mysql_databases.csv DATABASE as Database OUTPUT APP_NAME
| eval APP_NAME=if(isnull(APP_NAME) OR APP_NAME="", "NA", APP_NAME)

 

and hence getting no output in search and reporting tab

Labels (2)
Tags (1)
0 Karma

shruti14
Explorer

Dashboard is simple xml but there also | rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/" not giving me result.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The question is in which interface do you see "(?<Database1>.*)".  If you see them in the source editor, they should not cause any problem at all.  If you see them in panel editor, or worse, if you enter them into the search bar, they are plain wrong.

In case you are unfamiliar with Splunk's editor interfaces, whether you are using source editor or panel editor is determined by how you start the editing.  Here are some screenshots to show their differences.

This is the source editor

source-editor.png

This is the panel search editor

panel-editor.png

(Of course you know how the search bar look like.)

This is another interface that allows you to select which editor to use from the dashboard list.

editor-choice.png

Hope this  helps.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Are you sure they are not supposed to be this?

| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"

 You use HTML entities in dashboard source (if dashboard is SimpleXML), but not in search line.

0 Karma

shruti14
Explorer

Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&lt;Database1&gt;.*)\/audit\/': Regex: syntax error in subpattern name (missing terminator).

 

0 Karma

shruti14
Explorer

I am using source editor

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you did copy from source editor, the search view (in panel editor) of the two lines should be as I printed above, i.e.,

| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"

These two lines are correct and do not cause the error in your question.  Can you show us the actual search code in search view (under panel editor)?

Or are you trying to copy from source editor into a search window?  Generally that will cause error if there are any characters  that needs to be presented as HTML entities in Simple XML, such as less-than sign (<) and greater-than sign (>) as is used in rex commands.  Simply put, do not copy code from source editor into search window.  If you need to copy something into search window, you must use the panel editor. (Or, outside of editor, use "Open in search" link (magnifying glass).)

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...