Splunk Search

regex error only when saving to summary index

billycote
Path Finder

This is my query.

index=snaptor sourcetype=AccessApp
| fillnull value=NULL
| eval query_string = upper(query_string)
| fields uri, productid, query_string  
| rex field=query_string "(SYMBOL=|SYMBOLS=|P1=|P2=)+(?[.:\-\w]+(,[.:\-\w]+)*|[\w])" 
| eval syms=upper(syms) 
| eval syms = urldecode(syms) 
| rex field=syms mode=sed "s/\+/,/g"
| makemv delim="," syms 
| mvexpand syms
| stats count(uri) by productid, uri

It works fine until I try to write the results to a summary index and that's when I see this error:

Error in 'rex' command: Regex match error, please check log 

The only thing I can find in the log is this:

05-26-2016 03:04:23.204 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'rex' command: Regex match error, please check log

but then again I'm not great at interpreting the log. Is there something wrong with my regex? Like I said it works outside the summary index.

0 Karma

woodcock
Esteemed Legend

I think @somesoni2 is on to something. It is quite possible that there are 2 different RegEx parsers and one (non-SI) doesn't care if you capture things without naming them but then the other one (SI) does care. In any case, try adding names like he indicates.

0 Karma

billycote
Path Finder

Hmm... . Maybe the web doesn't like the < in there but this should have been in the original post.

| rex field=query_string "(SYMBOL=|SYMBOLS=|P1=|P2=)+(?<syms>[.:\-\w]+(,[.:\-\w]+)*|[\w])" 
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't see any fields extracted using name capturing groups in your regex ( like (?<fieldname>someregex+) ). Did you miss while copying the query OR editor truncated it?

0 Karma

billycote
Path Finder
| rex field=query_string "(SYMBOL=|SYMBOLS=|P1=|P2=)+(?<syms>[.:\-\w]+(,[.:\-\w]+)*|[\w])" 
0 Karma

woodcock
Esteemed Legend

How exactly are you "trying to write the results to a summary index"?

0 Karma

billycote
Path Finder

scheduled search with summary index enabled.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...