Solved: Deployment Monitor Throwing Errors

OldManEd · ‎05-22-2014

Just loaded the Deployment Monitor, v5.0.3, and it's throwing errors;

ERROR SearchOperator:kv - Cannot compile RE \"(?i)Subscription-Name>(?P<Subscription-Name>.+?)<\" for transform 'EXTRACT-Subscription_Name': Regex: syntax error in subpattern name (missing terminator)

And it's doing this for a bunch of fields;

Subscription-Name
Network-Status
Network-ID
Authentication-Type
Algorithm-Name
Subscription-Name
Network-Status
etc.

Has anyone seen this before?

OldManEd · ‎06-11-2014

OK, I opened up a trouble ticket with Splunk support on this one and they figured it out. In the /opt/splunk/etc/apps/search/local/props.conf file, under the [sprprovisioning] stanza, the fields were defined as follows;

EXTRACT-Subscription_Name = (?i)Subscription-Name>(?P<Subscription-Name>.+?)<

The problem was with the "(?P<Subscription-Name>" section. On support's suggestion I was asked to change the dash to an underscore on all the fields with problems as seen below;

EXTRACT-Subscription_Name = (?i)Subscription-Name>(?P<Subscription_Name>.+?)<

That cleaned it up.

View solution in original post

OldManEd · ‎06-11-2014

OK, I opened up a trouble ticket with Splunk support on this one and they figured it out. In the /opt/splunk/etc/apps/search/local/props.conf file, under the [sprprovisioning] stanza, the fields were defined as follows;

EXTRACT-Subscription_Name = (?i)Subscription-Name>(?P<Subscription-Name>.+?)<

The problem was with the "(?P<Subscription-Name>" section. On support's suggestion I was asked to change the dash to an underscore on all the fields with problems as seen below;

EXTRACT-Subscription_Name = (?i)Subscription-Name>(?P<Subscription_Name>.+?)<

That cleaned it up.

Deployment Monitor Throwing Errors

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!