×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
frnSpLrnr11
Engager
Member since: ‎11-07-2022
‎11-11-2022
Community Statistics
Posts 1
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-07-2022
Activity Feed
Topics I've Started
View All

Unable to get fields with rex?

by in Splunk Search
‎11-07-2022 07:36 AM
‎11-07-2022 07:36 AM
Hello,   I have this search results:       Error for user flow: AAAAA - user: BBBB - Msg: {\"_errorCode\":Z, \"_message\": \"Example Error Message\"}       I'm trying to get the number of each each _errorCode for each user flow. I started with      index="example_index" source="example_source" sourcetype="example_st" Error for | rex field=_raw "user flow: (?<user_flow>\w+)" | stats count as ErrorCount by user_flow       I was able to get the number of error occurrences under each user flow. I wanted to expand this query to be more granular and include the error code so I would have: UserFlow ErrorCode Error Count AAAA X 5 AAAA Y 7 BBBB F 1 BBBB G 2   This is the query I came up with but the statistics tab are no longer showing anything     index="example_index" source="example_source" sourcetype="example_st" Error for | rex field=_raw "user flow: (?<user_flow>\w+)" | rex field=_raw "_errorCode:\\\":(?<error_code>\d+)" |stats count as ErrorCount by user_flow, error_code     I see the events tab are still populated with search results  but it looks like my addition to the query is not quite correct. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-11-2022 08:09 AM
Karma given to
View All