- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is "rex field" not producing results when used...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search works correctly in Splunk Web:
index=xxxx | rex field=_raw "InvalidLogin\|NotFound\|(?<client>\w+)" | stats count by client
But using it in an API call returns nothing:
curl -u user:'password' -k https://localhost:8089/services/search/jobs/export -d search='search index=xxxx | rex field=_raw "InvalidLogin\|NotFound\|(?<client>\w+)" | stats count by client' -d output_mode=csv -d earliest_time="-1d" -d latest_time="-1m"
I can get other searches to execute correctly via API calls, and even other versions of this search that return multiple other fields. But if I ask it to return field "client" also, it always renders nothing for output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried specifying your search with --data-urlencode instead of -d (which doensn't URL encode). Your search contains a +, which I believe represents a space unless URL encoded.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried specifying your search with --data-urlencode instead of -d (which doensn't URL encode). Your search contains a +, which I believe represents a space unless URL encoded.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did it. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there really asterisks in that regex around the word "client" in the two searches?
If asterisk-client-asterisk is a valid name, it needs to be used in the "by" clause as well as the rex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Corrected the above queries. They now show correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Were you able to figure this out? I'm having the same issue. rex doesn't seem to generate new fields when used in the API
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No was never able to get it to work. We ended up having to write a perl script to parse the output instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I actually was able to make it work.
For some reason, the rex expression that I was using in the UI didn't work. But when I rewrote to be based off of _raw rather than another field, that did the trick. You have to write a more complex expression, but for me, it wasn't terrible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, there are no asterisks. It is actually like this: (?<client>\w+)
When I was putting the question in, the preview window showed only (?\w+). So adding asterisks made it print in italics, but at least show correctly. Didn't know that once the question got approved and posted it would literally add the asterisks in.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
