- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: rex error help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex error help
The regular expression is correct according to RegExr, but i keep on getting this error
Error in 'rex' command: Encountered the following error while compiling the regex 'count(domain)=(?<count(domain)>.*)': Regex: syntax error in subpattern name (missing terminator)
Here is what i have in Splunk Search:
rex field=_raw "count(domain)=(?<count(domain)>.*)"
Thanks guys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
try this search code :
...................................|rex field=_raw "count\(domain\)\=(?<count_domain>[^\,]+)"|table count_domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (run anywhere)
index="AAAA" source="BBBB" | rex field=_raw "count\(domain\)=(?<domain_count>.*)," | rename domain_count as count(domain)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help
^^
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample log
05/20/2014 00:00:00 +0900, search_name=AAAAA, search_now=1400606400.000, info_min_time=1400511600.000, info_max_time=1400598000.000, info_search_time=1400606401.123, count(domain)=744788, date_wday=tuesday
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ilove275,
brackets inside the rex field name cause the syntax issue.changing the field name count(domain) to domain_count would help u solving the issue.
rex field=_raw "count\(domain\)=(?<domain_count>.*)"
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it doesn't come out the File name "domain_count" when I use "Rename" commamd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field name's "count(domain)" not "domain_count"
My Splunk Search
index="AAAA" source="BBBB" | rex field=_raw "count(domain)=(?
error
Error in 'rex' command: Encountered the following error while compiling the regex 'count(domain)=(?
Thanks rakesh_498115
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and don't forget to append a " at the end of the regex command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide some sample events please?
Archived Metrics Now Available for APAC and EMEA realms
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
