Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with rex not doing anything at all, not even in its simplest form!

fere
Path Finder
‎03-13-2014 03:49 PM

Hi,
I am trying to extract the string after the first space, so for ex. I need to extract:
"02-main-menu" for the first record and "02-world" for the second record below. However, since I can't get the rex work, I thought I just test rex with a simplest format and see what it does, adn sure enough, it seems it doesn't do anything!

| inputlookup bwCustomerTransMovesByFlow_20130213-15.csv | fields move1 | eval c=mvcount(move1) | rex field=move1 "(?<mytest>)"  
_time                           move1                   c   mytest
2/13/14 5:34:04.000 AM      01-ios 02-main-menu 1       
2/13/14 12:51:13.000 AM         01-ios 02-world         1

Just to be sure that the field move1 is not being a multivalue Idid the mvcount(move1) and it returns 1 for all. I also tried doing "nomv move1" which did not make any difference.
The data in the inputlookup is generated as following:

....|  | transaction CUSTOMER_KEY  connected=t mvlist=t  keepevicted=t keeporphans=t  |   eval move1=mvindex(this_move2,0,1) | .... | makemv delim="," move1 |..... | sort 0 CUSTOMER_KEY | outputlookup bwCustomerTransMovesByFlow_20130213-15.csv

btw, I forgot to take out "makemv delim="," move1", but it didn't do anything anyway I think becasue it did ot insert "," anywhere. Besides, nomv supposedly should undo it.

Apreciate a quick repsonse. I am stuck!

Thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎03-13-2014 11:02 PM

Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)" you're not including anything to capture in your matching group, and so nothing will be captured either.

The simplest form to try out would be a matching group with .+ ("read all characters from input", more or less), so in your case you would do:

... | rex field=move1 "(?<mytest>.+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎03-13-2014 11:02 PM

Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)" you're not including anything to capture in your matching group, and so nothing will be captured either.

The simplest form to try out would be a matching group with .+ ("read all characters from input", more or less), so in your case you would do:

... | rex field=move1 "(?<mytest>.+)"
Reply
Solved! Jump to solution

fere
Path Finder
‎03-14-2014 01:09 AM

Isn't . (dot) mean any character except new line? When I use the above regex for
move1="01-ios 02-main-menu"
it returns "01-ios" for mytest. How does it know that it should stop at the space?

I am trying to come up with the regex that would actually return the part after the last white space (in this ex. "02-main-menu".
Appreciate your help.

0 Karma
Reply
Solved! Jump to solution

fere
Path Finder
‎03-14-2014 12:01 AM

It works. Many thanks for your quick response.

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎03-13-2014 04:32 PM

Try with this...

rex field=move1 "^(?<mytest>\w+$)"
0 Karma
Reply
Solved! Jump to solution

fere
Path Finder
‎03-13-2014 10:54 PM

it doesn't work. it returns null for mytest.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...