- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why am I getting "Error in 'rex' command...Regex: ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
I am brand new to Splunk and can't for the life of me figure out what I am doing wrong. I would like to pull the following data from raw text (about 10 lines of so of raw text), extract to a new field and then replace data in that field from paren number paren with a period. So (number) with .
Sample data
(1)dkfj(10)dkeiieii(2)ljflkkldj(3)
(2)datadata(1)dta(10)dat(2)
(8)sample(3)sample(0)
I am using the following command in Splunk, but when I try to display the results, I get blank data:
tag=unencoded | rex "(?<formatEncode>(\(\d+\))(\w+\(\d+\))+\w+(\(\d+\))" | rex mode=sed field=formatEncode "s/([0-9])/./g" | stats by formatEncode
I tested the regex and the sed substitution and both work just fine. I get the following error when I try to run it in Splunk:
Error in 'rex' command: Encountered the following error while compiling the regex '(?<formatEncode<(\(\d+\))(\w+\(\d+\))+\w+(\(\d+\))': Regex: missing )
Any help or pointer would be greatly appreciated.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you are missing a bracket at the end of your first rex command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm assuming your sample data in question is showing data to be extracted from 3 different events.
You Sample data has variable number of strings (enclosed between numbers). Is that correct? Could you post full raw event as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you are missing a bracket at the end of your first rex command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually that was the issue, thanks.
For those trying to do something similar here is the command I used
rex "(?(\(\d+\))([A-Za-z0-9_\-]+\(\d+\))+\w+(\(\d+\)))" | rex mode=sed field=formatEncode "s/\([0-9]\)/./g" | stats by formatEncode
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
