Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue: I haved added rex in our web data model app but it is show error

PCIIT
New Member
‎01-10-2019 08:26 AM

Hello Sir ,
I am having issue with the Splunk App for Web data model... but not sure where the problem is.
I have replaced regex in our data model .json file but it is not working.
In our data model , we have some field (date, time , decision_list) and added Rex in expression like
Rex:
"expression": "^([\w]+-)(?[\w]+[^-]+)" but it is giving error "

{
"outputFields": [
{
"fieldName": "Description",
"owner": "Event",
"type": "string",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "Description",
"comment": "",
"fieldSearch": ""
}
],
"inputField": "decision_list",
"calculationID": "asdfassdfg",
"owner": "Event",
"editable": true,
"comment": "",
"calculationType": "Rex",
"expression": " ^([\w]+-)(?[\w]+[^-]+)"
},

when I am searching in Dashboard so facing Error in Dashboard :

Error:
"Error in 'PivotProcessor': Error in 'DataModelEvaluator': JSON for data model 'Web_Acc_Data' is invalid."

This regex is working perfectly in regex editor.
Someone has any clue?

Tags (1)
0 Karma
Reply

lakshman239
Influencer
‎01-10-2019 09:28 AM

I assume you are taking the standard 'Web' datamodel that comes with Splunk_SA_CIM and updating the Web.json file.

What's your use case/requirement? If you want to edit any calculated fields, you can do the same via GUI [ Settings -> Datamodels and select the datamodel, and edit it and validate them before saving it]

https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Managedatamodels

0 Karma
Reply

PCIIT
New Member
‎01-10-2019 11:04 AM

we have our own web security reporting APP . it is working fine with below regex.
^([^\_\-]+)\_([^\-]+)-(?[^-]+) ----> working fine
but i have replaced with below regex which is not working
^([\w]+-)(?[\w]+[^-]+) -------> not working

i have input field decision_list which is used for output field description
here decision_list = DECR_WEB_7-webGroup-SH_Auth-DefaultGroup-NONE-NONE-DefaultGroup
description = webGroup ---->expecting field description value so write regex expression but it is not working

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...