Very strange scenario. I'll use a rex statement to retrieve data and it works perfectly. If I copy and paste the rex command that Splunk used (Copied from Job Inspector) it does not work. I'll receive an error.
An actual snippet of raw data that I've used as an example in my erex statement. The data in bold is what went into my example. "usbProtocol":1,"deviceName":"Canon Digital Camera","vendorName":"Canon Inc.",
And the job inspector spat out the following:
| rex "(?i)\"deviceName\\\":\\\"(?P<Device>[^\\]+)"
And the data looked perfect, like so;
Canon Digital Camera
But if I use that rex statement spat out by the Job Inspector in my search Splunk says nay nay;
The error in Splunk received was "Error in 'rex' command: Encountered the following error while compiling the regex '(?i)"deviceName\":\"(?P<Device>[^\]+)': Regex: missing terminating ] for character class."
I reached out to a coworker that provided | rex ".*deviceName(?<Model>.*?),"
And it works to a degree, but includes characters that I'd rather not see in my data. Actual example of what is spat out;
\":\"Canon Digital Camera\"
Just also mentioning this in case it matters - where there is no data available/null within the "deviceName" raw data, it will show like this;
\":\"\"
I'd really appreciate some guidance with my regex code. I've been delving into this lately, used many training materials, but can't seem to figure this one out?!
... View more