Splunk Search

'rex' command in 6.6.2 Splunk

udayk1
Path Finder

I am trying to use the 'rex' command in one of our searches but not successful, the same search was working 1 month back before upgrade, now it stopped. Any help please?

It throws me an error as ERROR SearchOperator:rex - Error in 'rex' command: Encountered the following error while compiling the regex '(?is) cat=(?.*?) sourceServiceName=': Regex: unrecognized character after (? or (?-

Below is the command I use,

sourcetype=***bla blaa***
| rex field=_raw "(?is) cat=(?.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?.*?) fname="
| rex field=_raw "(?is) msg=(?.*?) suser="
| rex field=_raw "(?is) suser=(?.*?) cat="
| table _time Suser Cat Duser Msg act 
Tags (2)
0 Karma
1 Solution

wenthold
Communicator

Edit: the code block isn't quite working correctly and the formatting is messed up the first try. Hopefully this fixes it.

sourcetype=bla blaa
| rex field=_raw "(?is) cat=(?<cat>.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?<duser>.*?) fname="
| rex field=_raw "(?is) msg=(?<msg>.*?) suser="
| rex field=_raw "(?is) suser=(?<suser>.*?) cat="
| table _time Suser Cat Duser Msg 

I'm pretty sure it would be better to combine these where you can, instead of running multiple REX commands, for example:

| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=" | rex field=_raw "(?is) duser=(?<duser>.*?) fname="

I can't tell where duser is in the _raw field (assuming it's in the same message) but you can probably combine this all into one rex command:

| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=.*? duser=(?<duser>.*?) fname="

or

| rex field=_raw "(?is)duser=(?<duser>.*?) fname=.*? msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName="

View solution in original post

0 Karma

woodcock
Esteemed Legend

I agree with the parser; what in the world is (?.*?) supposed to do?

0 Karma

wenthold
Communicator

Edit: the code block isn't quite working correctly and the formatting is messed up the first try. Hopefully this fixes it.

sourcetype=bla blaa
| rex field=_raw "(?is) cat=(?<cat>.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?<duser>.*?) fname="
| rex field=_raw "(?is) msg=(?<msg>.*?) suser="
| rex field=_raw "(?is) suser=(?<suser>.*?) cat="
| table _time Suser Cat Duser Msg 

I'm pretty sure it would be better to combine these where you can, instead of running multiple REX commands, for example:

| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=" | rex field=_raw "(?is) duser=(?<duser>.*?) fname="

I can't tell where duser is in the _raw field (assuming it's in the same message) but you can probably combine this all into one rex command:

| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=.*? duser=(?<duser>.*?) fname="

or

| rex field=_raw "(?is)duser=(?<duser>.*?) fname=.*? msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName="
0 Karma

woodcock
Esteemed Legend

The field=_raw is an implied default.

0 Karma

skalliger
SplunkTrust
SplunkTrust
(?.?)

That right there. It's an incomplete group structure. That won't work.

Skalli

cmerriman
Super Champion

i suggest going to regex101.com and putting in some sample data and working out the regex. otherwise, if you could input some of the data, it would be helpful for us to assist you. but @skalliger is correct, you need to fix the group structure. cat=(?<cat>.*) perhaps, however that is greedy and you'd likely want to edit it to match your data

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...