Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

searchmanager : Error extracting fields

edrivera3
Builder
‎05-19-2015 12:57 PM

Hi
Today I started to work with the Django binding and I am trying to extract a field, but I encountered an error. I am not sure what is wrong. I tried to run the search inline and it worked correctly.

{% searchmanager
id="stats_count_by_cart_num"
search="index=jobevent NOT "Racu name" | rex "For\sCartNumber\s(?<cart_num>\w{2}\d{3})" | stats count by cart_num"
earliest_time="-2y@y"
latest_time="now"
cache=False
%}

⚠ Error in 'rex' command: The regex '"For\sCartNumber\s(?<cart_num>\w{2}\d{3})"' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎05-19-2015 02:39 PM

I think the problem should be your regular expression. Try this:

search="index=jobevent NOT \"Racu name\" | rex field=_raw  \"ForsCartNumbers(?<cart_num>w{2}d{3})\" | stats count by cart_num"
SGF

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎05-19-2015 02:39 PM

I think the problem should be your regular expression. Try this:

search="index=jobevent NOT \"Racu name\" | rex field=_raw  \"ForsCartNumbers(?<cart_num>w{2}d{3})\" | stats count by cart_num"
SGF
0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎05-19-2015 03:10 PM

Now, I am extracting the field using props.conf. I verified it in the Splunk App and the field values are correct so there is no problem with the regex. But for some reason there is not result found from the search. I think maybe the problem is related to some permission limitation but I am not sure where to look for them.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-19-2015 03:31 PM

I'm not sure about some permission here. I think you must escape double quotes properly. In some cases, instead of enclose your search wth double quotes you must use simple quotes. Something like this

 search='index=jobevent NOT \"Racu name\" | rex field=_raw  \"ForsCartNumbers(?&lt;cart_num&gt;w{2}d{3})\" | stats count by cart_num'
SGF
0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎05-20-2015 07:41 AM

Thank you. You were right. I made the changes and it worked perfectly.

0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎05-19-2015 01:27 PM

UPDATE: ;
I decided to extract the field in props.conf, but I encountered an error anyway: No results found.

search="index=jobevent NOT "Racu name" | stats count by cart_num"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...