Splunk Search

Rex command issue in splunk views

iamniks
Explorer

Hi,

i am using the below search command in a splunk view as given below.

index=re sourcetype="clearcase_Log" "Trouble opening VOB database" earliest=-7d |rex field=_raw ".vbstore/(?.).vbs" |
stats count as "ERROR INSTANCES" by vob

is causing trouble as we have to place search query inside tags. I tried to use < and > for < and > respectively which failed too. Can you please help me with the below error?

***Error in 'rex' command: Encountered the following error while compiling the regex '.*vbstore/(?
.
).vbs': Regex: unrecognized character after (? or (?-
****

Tags (1)
0 Karma

Ayn
Legend

When you're enclosing the tags that are causing you trouble in an XML document, they are interpreted as part of the XML data rather than as part of the rex command. To specify that these tags are not referring to the XML structure, use the special escaping sequence "<![CDATA[" at the beginning of your string and its corresponding end sequence "]]>" at the end. Example here: http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex

Ayn
Legend

Awesome. Could you please mark my answer as accepted? Thanks!

0 Karma

iamniks
Explorer

This works now.. grt thank you . I had left an extra special char.

0 Karma

Ayn
Legend

Also your extraction probably doesn't extract what you want. You likely want .vbstore/(?<vob>.+?)\.vbs

0 Karma

Ayn
Legend

Are you using a space after the ( character? You shouldn't, it's incorrect syntax and would cause Splunk to throw that error.

0 Karma

iamniks
Explorer

doesnt work for CDATA also

0 Karma

iamniks
Explorer

Error in 'rex' command: Encountered the following error while compiling the regex '.vbstore/(? .).vbs': Regex: unrecognized character after (? or (?-**

0 Karma

iamniks
Explorer

i mean i tried to use (without spaces)
"& l t ;" for < and "& g t ;" for > but failed

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...