×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
berserkersyco
New Member
Member since: ‎12-11-2020
‎12-23-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-11-2020
Activity Feed
Topics I've Started
View All

MAP with REGEX not working

by in Splunk Search
‎12-11-2020 01:54 PM
‎12-11-2020 01:54 PM
hi, i wanted to fetch some information from my logs. here is the scenario: index=xyz host=xxx.com source="/as/df/gh/*.log" "[error]" | rex field=_raw "LoadPlanName:\s(?P<LP_Name>[^\]]*)" | table LP_Name | dedup LP_Name above query gives me the result as below LP_Name LP_abc LP_abc1 LP_abc2 now from the same source i want to fetch other details for the LP_Name extracted above i.e LP_abc, LP_abc1, LP_abc2, for that i tried to create below query which is not working: index=xyz host=xxx.com source="/dir1/dir2/*.log" "[error]" | rex field=_raw "LoadPlanName:\s(?P<LP_Name>[^\]]*)" | table LP_Name | dedup LP_Name | map search = "search index=xyz host=xxx.com source="/dir1/dir2/*.log" "[completed]" | rex field=_raw "LoadPlanName:\s(?P<LPN>[^\]]*)" LPN=$LP_Name" For above query i have been getting below error: Error in 'SearchParser': Missing a search command before '^'. Error at position '417' of search query 'search index=oitp host=ITCNCHN-LX4* source="/opt/o...{snipped} {errorcontext = s(?P<LPN>[^\]]*)" L}'. i have been struggling with it from a long time now, need help to get the the data that i desired. Thanks in advance. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-23-2020 11:36 AM