I have a rex built that when plugged into rex101 works fine, but when applied via a Splunk query, returns a blank result.
Text:
2022/02/01 23:07:26.979 [ERROR] [nrfClient.Discovery.nrf] Message send failed, response [Type:ABC Http2_Status:404 CauseCode:"CONTEXT_NOT_FOUND" RetryExhausted:true MsgType:1434 ServiceName:nabc SelectedProfileName:"abc-profile" FailureProfile:"FHABC" GroupID:"ABC-*" ]
rex:
Http2_Status:\d{3}\sCauseCode:\"(?<Error2>\w+)\"\s
rex101 result:
CONTEXT_NOT_FOUND
But when plugged into Splunk, it comes back with a blank result.
When I paste into Notepad, it just prints as one long line, nothing weird showing up. Maybe I need to try to do a split instead. It's just that the "Http2_status" doesn't always show up in the same place in the log outputs.
Error2 just shows up blank.
Something in your _raw field does not match the regex - can you paste the _raw field into a code block </> or something like notepad to ensure there are no gotchas e.g. null bytes, tabs in stead of spaces, extra spaces, etc.
Using Splunk Enterprise 8.1.5
Splunk Enterprise version 8.1.5
Version:8.1.5
The rex works in splunk also
Which version of splunk are you using?