Rex command issue in splunk views

iamniks · ‎06-06-2012

Hi,

i am using the below search command in a splunk view as given below.

index=re sourcetype="clearcase_Log" "Trouble opening VOB database" earliest=-7d |rex field=_raw ".vbstore/(?.).vbs" |
stats count as "ERROR INSTANCES" by vob

is causing trouble as we have to place search query inside

***Error in 'rex' command: Encountered the following error while compiling the regex '.*vbstore/(?
.).vbs': Regex: unrecognized character after (? or (?-****

Ayn · ‎06-06-2012

When you're enclosing the tags that are causing you trouble in an XML document, they are interpreted as part of the XML data rather than as part of the rex command. To specify that these tags are not referring to the XML structure, use the special escaping sequence "<![CDATA[" at the beginning of your string and its corresponding end sequence "]]>" at the end. Example here: http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex

Ayn · ‎06-06-2012

Awesome. Could you please mark my answer as accepted? Thanks!

iamniks · ‎06-06-2012

This works now.. grt thank you . I had left an extra special char.

Ayn · ‎06-06-2012

Also your extraction probably doesn't extract what you want. You likely want .vbstore/(?<vob>.+?)\.vbs

Ayn · ‎06-06-2012

Are you using a space after the ( character? You shouldn't, it's incorrect syntax and would cause Splunk to throw that error.

iamniks · ‎06-06-2012

doesnt work for CDATA also

iamniks · ‎06-06-2012

Error in 'rex' command: Encountered the following error while compiling the regex '.vbstore/(? .).vbs': Regex: unrecognized character after (? or (?-**

iamniks · ‎06-06-2012

i mean i tried to use (without spaces)
"& l t ;" for < and "& g t ;" for > but failed

Rex command issue in splunk views

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!