I have a weird problem with the rex command on splunk version 4.2.1. This is the rex I use with a timeframe of Previous month:
... | rex "FROM \"dbo\"\.\"(?<table>[a-zA-Z_]*)\"" | top table
This return 10 tables while I should have 27. Splunk is installed on a Linux server so I used grep on the log files for the month of April and found 27 tables.
Splunk found the tables in the following log entries:
... FROM "dbo"."AUTOP" ...
... FROM "dbo"."DECES_MSSS" ...
... FROM "dbo"."INDV" ...
... FROM "dbo"."INDV_ANAL" ...
... FROM "dbo"."MED_SEJ_HOSP" ...
... FROM "dbo"."RESID" ...
... FROM "dbo"."SERV_MEDI" ...
... FROM "dbo"."V_CARDIO_SERV_MEDI" ...
... FROM "dbo"."V_DIABETE_SERV_MEDI" ...
... FROM "dbo"."V_MENTALDEMENCE_SERV_MEDI" ...
but skipped all the following table:
... FROM "dbo"."ADMI_ASSU_MALA" ...
... FROM "dbo"."ADMI_ASSU_MEDI" ...
... FROM "dbo"."CLAS_PROF" ...
... FROM "dbo"."DECOMPTE" ...
... FROM "dbo"."FUSI_SCIS" ...
... FROM "dbo"."INSC_PROF" ...
... FROM "dbo"."MED_SEJ_HOSP_CONS" ...
... FROM "dbo"."MED_SEJ_HOSP_INTRVN" ...
... FROM "dbo"."MED_SEJ_HOSP_SERV" ...
... FROM "dbo"."MED_SEJ_HOSP_SOIN_INTSF" ...
... FROM "dbo"."MED_SEJO_HOSP_DIAG" ...
... FROM "dbo"."PROV" ...
... FROM "dbo"."SERV_OPTO" ...
... FROM "dbo"."SERV_PHARM" ...
... FROM "dbo"."TERR" ...
... FROM "dbo"."V_ASTHME_SERV_MEDI" ...
... FROM "dbo"."V_MED_SEJ_HOSP_COURT_DUR" ...
This a pretty simple regular expression. What could be wrong with it?
Thanks,
Bernard
I would say your regular expression is fine. It's your use of "| top"
, which by default only shows the "top 10" results of the search. You can add a limit=xxx
to top to expand how many results it shows.
I would say your regular expression is fine. It's your use of "| top"
, which by default only shows the "top 10" results of the search. You can add a limit=xxx
to top to expand how many results it shows.