Splunk Search

Why the error Error in 'rex' command while compiling the regex '\/home\/mysqld\/(?<D?

shruti14
Explorer

index=mysql sourcetype=audit_log earliest=1
| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"
| eval Database = coalesce(Database1,Database2)
| fields - Database1,Database2
| rex field=USER "(?<USER>[^\[]+)"
| rex mode=sed field=HOST "s/\.[a-z].*$//g"
| eval TIMESTAMP=strptime(TIMESTAMP, "%Y-%m-%dT%H:%M:%S UTC")
| where TIMESTAMP > now()-3600*24*90
| eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d")
| eval COMMAND_CLASS=if(isnull(COMMAND_CLASS) OR COMMAND_CLASS="", "NA", COMMAND_CLASS)
| eval HOST=if(isnull(HOST) OR HOST="", "NA", HOST)
| eval IP=if(isnull(IP) OR IP="", "NA", IP)
| eval Action=if(isnull(NAME) OR NAME="", "NA", NAME)
| eval STATUS=if(isnull(STATUS) OR STATUS="", "NA", STATUS)
| eval Query=if(isnull(SQLTEXT) OR SQLTEXT="", "NA", SQLTEXT)
| eval USER=if(isnull(USER) OR USER="", "NA", USER)
| stats count as Events by Database USER HOST IP COMMAND_CLASS Action STATUS Query TIMESTAMP
| lookup mysql_databases.csv DATABASE as Database OUTPUT APP_NAME
| eval APP_NAME=if(isnull(APP_NAME) OR APP_NAME="", "NA", APP_NAME)

 

and hence getting no output in search and reporting tab

Labels (2)
Tags (1)
0 Karma

shruti14
Explorer

Dashboard is simple xml but there also | rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/" not giving me result.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The question is in which interface do you see "(?<Database1>.*)".  If you see them in the source editor, they should not cause any problem at all.  If you see them in panel editor, or worse, if you enter them into the search bar, they are plain wrong.

In case you are unfamiliar with Splunk's editor interfaces, whether you are using source editor or panel editor is determined by how you start the editing.  Here are some screenshots to show their differences.

This is the source editor

source-editor.png

This is the panel search editor

panel-editor.png

(Of course you know how the search bar look like.)

This is another interface that allows you to select which editor to use from the dashboard list.

editor-choice.png

Hope this  helps.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Are you sure they are not supposed to be this?

| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"

 You use HTML entities in dashboard source (if dashboard is SimpleXML), but not in search line.

0 Karma

shruti14
Explorer

Error in 'rex' command: Encountered the following error while compiling the regex '\/home\/mysqld\/(?&lt;Database1&gt;.*)\/audit\/': Regex: syntax error in subpattern name (missing terminator).

 

0 Karma

shruti14
Explorer

I am using source editor

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you did copy from source editor, the search view (in panel editor) of the two lines should be as I printed above, i.e.,

| rex field=source "\/home\/mysqld\/(?<Database1>.*)\/audit\/"
| rex field=source "\/mydata\/log\/(?<Database2>.*)\/audit\/"

These two lines are correct and do not cause the error in your question.  Can you show us the actual search code in search view (under panel editor)?

Or are you trying to copy from source editor into a search window?  Generally that will cause error if there are any characters  that needs to be presented as HTML entities in Simple XML, such as less-than sign (<) and greater-than sign (>) as is used in rex commands.  Simply put, do not copy code from source editor into search window.  If you need to copy something into search window, you must use the panel editor. (Or, outside of editor, use "Open in search" link (magnifying glass).)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...