Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex not working as expected
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
09-10-2017
05:49 PM
What is wrong with this rex?? This is the rex that the system gives me when I do a extract fields option.
index=x ... | rex "^(?:[^"\n]*"){3}(?P<index_ks>[^"]+)"
I am getting
Mismatched ']'. when I do the search.
This is the regex working here
https://regex101.com/r/LxVFbf/1
Another way to write it is like this, although not as generic:
index=* | rex "index="(?P<index_ks>.*)";"
which works see here:
https://regex101.com/r/YCn7h6/1
However, the result single quotes at start and end e.g. 'result1' 'result2' in Splunk, but not in the regex101 example.
Would like to understand this better.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
09-10-2017
06:53 PM
It is necessary to escape double quotes.
ex.
| rex "^(?:[^\"\n]*\"){3}(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
youngsuh
Contributor
04-23-2020
03:57 PM
Here is the search with rex. I am lost why it's not working to exact the user.
index=ldap sourcetype="ldap:audit"
| rex "\s\w{2}=\w\d(?<user>[^,]+)"
| stats count by user
Here is the event string:
time: 20200423225406
result: 0
changetype: modify
replace: lastLoginTime
lastLoginTime: 20200423225402Z
modifiersName: cn=g5-bdent,ou=srveauth,dc=june,dc=gov
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
09-10-2017
07:08 PM
Your spl line of rex is getting interpreted as below which is making it see it as a misplaced quote after two pairs of quotes:
index=x ... | rex "^(?:[^" \n]* "){3}(?P<index_ks>[^" ]+)"
Like @HiroshiSatoh mentioned the quotes shall be escaped like \" to make it as index=x ... | rex "^(?:[^\"\n]*\"){3}(?P<index_ks>[^\"]+)" if you feel your regex is working fine on regex101.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
09-10-2017
06:53 PM
It is necessary to escape double quotes.
ex.
| rex "^(?:[^\"\n]*\"){3}(?P
Get Updates on the Splunk Community!
Buttercup Games Tutorial Extension - part 9
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games Tutorial Extension - part 8
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Introducing the Splunk Developer Program!
Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
