Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with rex not doing anything at all, not even in its simplest form!

fere
Path Finder
‎03-13-2014 03:49 PM

Hi,
I am trying to extract the string after the first space, so for ex. I need to extract:
"02-main-menu" for the first record and "02-world" for the second record below. However, since I can't get the rex work, I thought I just test rex with a simplest format and see what it does, adn sure enough, it seems it doesn't do anything!

| inputlookup bwCustomerTransMovesByFlow_20130213-15.csv | fields move1 | eval c=mvcount(move1) | rex field=move1 "(?<mytest>)"  
_time                           move1                   c   mytest
2/13/14 5:34:04.000 AM      01-ios 02-main-menu 1       
2/13/14 12:51:13.000 AM         01-ios 02-world         1

Just to be sure that the field move1 is not being a multivalue Idid the mvcount(move1) and it returns 1 for all. I also tried doing "nomv move1" which did not make any difference.
The data in the inputlookup is generated as following:

....|  | transaction CUSTOMER_KEY  connected=t mvlist=t  keepevicted=t keeporphans=t  |   eval move1=mvindex(this_move2,0,1) | .... | makemv delim="," move1 |..... | sort 0 CUSTOMER_KEY | outputlookup bwCustomerTransMovesByFlow_20130213-15.csv

btw, I forgot to take out "makemv delim="," move1", but it didn't do anything anyway I think becasue it did ot insert "," anywhere. Besides, nomv supposedly should undo it.

Apreciate a quick repsonse. I am stuck!

Thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎03-13-2014 11:02 PM

Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)" you're not including anything to capture in your matching group, and so nothing will be captured either.

The simplest form to try out would be a matching group with .+ ("read all characters from input", more or less), so in your case you would do:

... | rex field=move1 "(?<mytest>.+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎03-13-2014 11:02 PM

Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)" you're not including anything to capture in your matching group, and so nothing will be captured either.

The simplest form to try out would be a matching group with .+ ("read all characters from input", more or less), so in your case you would do:

... | rex field=move1 "(?<mytest>.+)"
Reply
Solved! Jump to solution

fere
Path Finder
‎03-14-2014 01:09 AM

Isn't . (dot) mean any character except new line? When I use the above regex for
move1="01-ios 02-main-menu"
it returns "01-ios" for mytest. How does it know that it should stop at the space?

I am trying to come up with the regex that would actually return the part after the last white space (in this ex. "02-main-menu".
Appreciate your help.

0 Karma
Reply
Solved! Jump to solution

fere
Path Finder
‎03-14-2014 12:01 AM

It works. Many thanks for your quick response.

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎03-13-2014 04:32 PM

Try with this...

rex field=move1 "^(?<mytest>\w+$)"
0 Karma
Reply
Solved! Jump to solution

fere
Path Finder
‎03-13-2014 10:54 PM

it doesn't work. it returns null for mytest.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...