Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

erex not working in splunk 6

mjones414
Contributor
‎10-31-2013 08:40 PM

In previous versions of splunk, I've been able to use erex at search time to define a regular expression based on search time data, which is especially helpful in very large events or very spread out events. It used to display the regular expression needed to extract the field properly below the search bar. Now I get an error every time I try to use it that says:

The external search command 'erex' did not return events in descending time order, as expected. and it no longer tries to build the rex statement. Is this a regression? erex was an extremely valuable search command and I'd love to get it back!

Tags (3)
0 Karma
Reply

bravon
Communicator
‎08-17-2015 04:07 AM

I am also in a "Searching and Reporting " session (Self paced) and i also get this error

0 Karma
Reply

triest
Communicator
‎10-04-2014 12:39 PM

In reading the question, it looked like there were two parts:

  1. Where is the regular expression
  2. The error message about The external search command 'erex' did not return events in descending time order, as expected.

I think the first part has been answered, but not the second, so ...

If you see that error message, try sorting the data before the erex command (e.g. | sort -_time )

I'm actually in the Searching and Reporting training session and we saw the error message. When it wasn't working, I googled and found this page, but no solution. I then asked the instructor who didn't know. Since I found this work around, I just wanted to share in hopes of helping some one.

Just FYI I saw it on 6.1.3

Reply

sophy
Splunk Employee
Splunk Employee
‎11-26-2013 01:55 PM

The regex is still available, it's just not presented as a banner. You can view it under the Job menu. See screenshot.

Reply

sophy
Splunk Employee
Splunk Employee
‎11-26-2013 02:08 PM

Yay! I will update the docs as well.

Reply

jordanperks
Path Finder
‎11-26-2013 02:04 PM

Sophy, you are awesome. Thank you. That worked for me.

Reply

jordanperks
Path Finder
‎11-26-2013 09:43 AM

I am wondering the same. I have not received an error, but the erex does not attempt to build a rex statement.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...