The following search returns results:
"context"
But this one does not:
regex "context"
And neither does this:
regex _raw="context"
+Why not?+
I am using Splunk 4.3.3 and according to http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Regex the previous 2 are valid and should return results.
I know that the word "context" is mentioned in my "_raw" field many times because I've exported a number of log events and found it there.
I believe the regex command needs to be part of a pipeline, otherwise the search is actually going to be for the exact term that you specify. So, this probably wouldn't work:
regex "context"
...but this should:
| regex "context"
Please let us know if this works, thanks!
I believe the regex command needs to be part of a pipeline, otherwise the search is actually going to be for the exact term that you specify. So, this probably wouldn't work:
regex "context"
...but this should:
| regex "context"
Please let us know if this works, thanks!
Interesting! I didn't get that error but I tested on 5.0.2. Thanks for posting what worked for you!
This didn't work: | regex "context"
Neither did this: * | regex "context"
In both cases I got this error: Error in 'SearchOperator:regex': Usage: regex
But your answer led me to this which worked: * | regex _raw="context"