- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex: syntax error in subpattern name (missing te...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I encountered the following error message :
Error Message:
Error in 'rex' command: Encountered the following error while compiling the regex '(?<failed_step>STEP:[\w\W\n]+?RETRIES:\s{3}\d+)': Regex: syntax error in subpattern name (missing terminator)
The extraction works correctly in the Search and Reporting App.
This my html page:
<script>
var deps = [
"splunkjs/ready!",
"splunkjs/mvc",
"splunkjs/mvc/utils",
"splunkjs/mvc/searchmanager",
"splunkjs/mvc/chartview",
"splunkjs/mvc/checkboxgroupview",
"splunkjs/mvc/checkboxview",
"splunkjs/mvc/dropdownview",
"splunkjs/mvc/eventsviewerview",
"splunkjs/mvc/multidropdownview",
"splunkjs/mvc/radiogroupview",
"splunkjs/mvc/searchbarview",
"splunkjs/mvc/searchcontrolsview",
"splunkjs/mvc/singleview",
"splunkjs/mvc/tableview",
"splunkjs/mvc/textinputview",
"splunkjs/mvc/timelineview",
"splunkjs/mvc/timerangeview",
"splunkjs/mvc/simplexml",
"splunkjs/mvc/splunkmapview",
"jquery",
"splunk_wftoolkit/components/bubblechart/bubblechart",
"splunk.config",
"underscore"
];
require(deps, function(mvc) {
// Load individual components
var SearchManager = require("splunkjs/mvc/searchmanager");
var TimelineView = require("splunkjs/mvc/timelineview");
var ChartView = require("splunkjs/mvc/chartview");
var CheckboxGroupView = require("splunkjs/mvc/checkboxgroupview");
var CheckboxView = require("splunkjs/mvc/checkboxview");
var DropdownView = require("splunkjs/mvc/dropdownview");
var EventsViewer = require("splunkjs/mvc/eventsviewerview");
var MultiDropdownView = require("splunkjs/mvc/multidropdownview");
var RadioGroupView = require("splunkjs/mvc/radiogroupview");
var SearchbarView = require("splunkjs/mvc/searchbarview");
var SearchControlsView = require("splunkjs/mvc/searchcontrolsview");
var SingleView = require("splunkjs/mvc/singleview");
var TableView = require("splunkjs/mvc/tableview");
var TextInputView = require("splunkjs/mvc/textinputview");
var TimeRangeView = require("splunkjs/mvc/timerangeview");
var BubbleView = require("splunk_wftoolkit/components/bubblechart/bubblechart");
// Table (Top Failed Steps in test containing this error)
var Top_FailStep = new SearchManager({
id: "Top_FailStep",
search: mvc.tokenSafe('index=tirfile AND [search index=jobevent earliest=\"-1y\" latest=\"now\" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step \"(?<failed_step>STEP:[\\w\\W\\n]+?RETRIES:\\s{3}\\d+)\" '),
cache: true,
preview: true
});
var table_Top_FailStep = new TableView({
id: "table_Top_FailStep",
managerid: "Top_FailStep",
el: $("#table_Top_FailStep")
}).render();
I appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, thanks stephanefotso for trying to help.
I found the solution to my problem. Appears that when you are working with web framework you cannot use the HTML entity to add a < > symbols. The way around this is to simply escape < > symbols.
search: mvc.tokenSafe('index=tirfile AND [search index=jobevent earliest="-1y" latest="now" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step "(?\<failed_step\>STEP:[\\w\\W\\n]+RETRIES:\\s{3}\\d+)" max_match=0 '),
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, thanks stephanefotso for trying to help.
I found the solution to my problem. Appears that when you are working with web framework you cannot use the HTML entity to add a < > symbols. The way around this is to simply escape < > symbols.
search: mvc.tokenSafe('index=tirfile AND [search index=jobevent earliest="-1y" latest="now" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step "(?\<failed_step\>STEP:[\\w\\W\\n]+RETRIES:\\s{3}\\d+)" max_match=0 '),
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Escape double points STEP\: RETRIES\:in your regular expression, and let me know what happen.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was no change. I tried singular escape (\) and double escape (\\).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
search: mvc.tokenSafe("index=tirfile AND [search index=jobevent earliest=\"-1y\" latest=\"now\" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step \"(?<failed_step>STEP\:[\\w\\W\\n]+?RETRIES\:\\s{3}\\d+)\" ")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was no change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wao! ok now try this:
search: mvc.tokenSafe("index=tirfile AND [search index=jobevent earliest=\"-1y\" latest=\"now\" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step \"(?<failed_step>STEP\:[\w\W\n]+?RETRIES\:\s{3}\d+)\" ")
or this
search: mvc.tokenSafe('index=tirfile AND [search index=jobevent earliest=\"-1y\" latest=\"now\" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step \\"(?<failed_step>STEP\:[\\w\\W\\n]+?RETRIES\:\\s{3}\\d+)\\" ')
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was no change. The app page didn't load with the second one. I am going to update my question to bring more information about my page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. also let me get your sample event where you are extracting failed_step
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot give you an example event because it is a large file. But I am extracting the fields correctly because I verified the regular expression in my Search and Reporting App and the table I want to have in my app.
The field "failed_step" is extracted from the field "test_step" and its values(test_step) look like this one.
STEP: 0902 RESULT: PASS ACTUAL: NO DATA READ RETRIES: 1
Basically what I am doing it's separating the steps that have failed from the general steps. Also the data format in the steps is unstructured and random. This is the reason why I am extracting everything with [\w\W\n].
I think the problem it is related with html. I really don't know anything about html and maybe there is some restriction that I am missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is to well escape key words. It would be easier for me if I had one of your events, to make a test myself.
Thanks.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
