Splunk Search

rex error help

Path Finder

The regular expression is correct according to RegExr, but i keep on getting this error

Error in 'rex' command: Encountered the following error while compiling the regex 'count(domain)=(?<count(domain)>.*)': Regex: syntax error in subpattern name (missing terminator)

Here is what i have in Splunk Search:

rex field=_raw "count(domain)=(?<count(domain)>.*)"

Thanks guys

Tags (1)
0 Karma

Motivator

hi
try this search code :

...................................|rex field=_raw "count\(domain\)\=(?<count_domain>[^\,]+)"|table count_domain
0 Karma

SplunkTrust
SplunkTrust

Try this (run anywhere)

 index="AAAA" source="BBBB" | rex field=_raw "count\(domain\)=(?<domain_count>.*)," | rename domain_count as count(domain)

Path Finder

Thanks for your help
^^

0 Karma

Path Finder

sample log

05/20/2014 00:00:00 +0900, searchname=AAAAA, searchnow=1400606400.000, infomintime=1400511600.000, infomaxtime=1400598000.000, infosearchtime=1400606401.123, count(domain)=744788, date_wday=tuesday
Thanks

0 Karma

Motivator

Hi ilove275,

brackets inside the rex field name cause the syntax issue.changing the field name count(domain) to domain_count would help u solving the issue.

rex field=_raw "count\(domain\)=(?<domain_count>.*)"

Thanks.

Path Finder

it doesn't come out the File name "domain_count" when I use "Rename" commamd

0 Karma

Path Finder

field name's "count(domain)" not "domain_count"

My Splunk Search
index="AAAA" source="BBBB" | rex field=raw "count(domain)=(?.*) datewday=(?.*)" | table date_wday count(domain)

error
Error in 'rex' command: Encountered the following error while compiling the regex 'count(domain)=(?.) datewday=(?<datewday>.)': Regex: syntax error in subpattern name (missing terminator)

Thanks rakesh_498115

0 Karma

SplunkTrust
SplunkTrust

and don't forget to append a " at the end of the regex command

0 Karma

SplunkTrust
SplunkTrust

can you provide some sample events please?

0 Karma