rex giving unrecognized character

shobhitdesh · ‎09-10-2018

Regular expression

 "ParNew:" | rex "(?i)\\), (?P[^ ]+)" | rex "(?i).*?\\((?P\\d+\\w+)(?=\\))" | rex "(?i)\\[ParNew: (?P[^\\-]+)" | rex "(?i)\\->(?P[^\\(]+)" | table COLLECTION_TIME, HEAP_SIZE_AVAILABLE, OBJECT_SIZE_BEFORE_GC, OBJECT_SIZE_AFTER_GC

gives error in 'rex' command: Encountered the following error while compiling the regex '(?i)), (?P[^ ]+)': Regex: unrecognized character after (?P

mstjohn_splunk · ‎09-10-2018

hi @shobhitdesh

Did any of the answers or comments below solve your problem? If so, please resolve this post by approving it!

If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

DalJeanis · ‎09-10-2018

Your query should have a field name in angle brackets after the (?P, and the P is unneeded. ... so something like (?<fieldname>.*)

inventsekar · ‎09-10-2018

as @richgalloway said, the rex query got damaged..
maybe you can update a screenshot your error when you run this cmd on screen on your splunk web GUI
or, put your rex query inside backticks (something)

richgalloway · ‎09-10-2018

The system mangled your regex so it's difficult to see what may be wrong.
Please edit or comment with the regex string inside backtick characters so it's displayed fully.

---
If this reply helps you, Karma would be appreciated.

rex giving unrecognized character

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life