Solved: 'rex' command in 6.6.2 Splunk

udayk1 · ‎07-19-2017

I am trying to use the 'rex' command in one of our searches but not successful, the same search was working 1 month back before upgrade, now it stopped. Any help please?

It throws me an error as ERROR SearchOperator:rex - Error in 'rex' command: Encountered the following error while compiling the regex '(?is) cat=(?.*?) sourceServiceName=': Regex: unrecognized character after (? or (?-

Below is the command I use,

sourcetype=***bla blaa***
| rex field=_raw "(?is) cat=(?.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?.*?) fname="
| rex field=_raw "(?is) msg=(?.*?) suser="
| rex field=_raw "(?is) suser=(?.*?) cat="
| table _time Suser Cat Duser Msg act

wenthold · ‎07-20-2017

Edit: the code block isn't quite working correctly and the formatting is messed up the first try. Hopefully this fixes it.

sourcetype=bla blaa
| rex field=_raw "(?is) cat=(?<cat>.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?<duser>.*?) fname="
| rex field=_raw "(?is) msg=(?<msg>.*?) suser="
| rex field=_raw "(?is) suser=(?<suser>.*?) cat="
| table _time Suser Cat Duser Msg

I'm pretty sure it would be better to combine these where you can, instead of running multiple REX commands, for example:

| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=" | rex field=_raw "(?is) duser=(?<duser>.*?) fname="

I can't tell where duser is in the _raw field (assuming it's in the same message) but you can probably combine this all into one rex command:

| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=.*? duser=(?<duser>.*?) fname="

or

| rex field=_raw "(?is)duser=(?<duser>.*?) fname=.*? msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName="

View solution in original post

woodcock · ‎07-20-2017

I agree with the parser; what in the world is (?.*?) supposed to do?

wenthold · ‎07-20-2017

Edit: the code block isn't quite working correctly and the formatting is messed up the first try. Hopefully this fixes it.

sourcetype=bla blaa
| rex field=_raw "(?is) cat=(?<cat>.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?<duser>.*?) fname="
| rex field=_raw "(?is) msg=(?<msg>.*?) suser="
| rex field=_raw "(?is) suser=(?<suser>.*?) cat="
| table _time Suser Cat Duser Msg

I'm pretty sure it would be better to combine these where you can, instead of running multiple REX commands, for example:

| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=" | rex field=_raw "(?is) duser=(?<duser>.*?) fname="

I can't tell where duser is in the _raw field (assuming it's in the same message) but you can probably combine this all into one rex command:

| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=.*? duser=(?<duser>.*?) fname="

or

| rex field=_raw "(?is)duser=(?<duser>.*?) fname=.*? msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName="

woodcock · ‎07-20-2017

The field=_raw is an implied default.

skalliger · ‎07-20-2017

(?.?)

That right there. It's an incomplete group structure. That won't work.

Skalli

cmerriman · ‎07-20-2017

i suggest going to regex101.com and putting in some sample data and working out the regex. otherwise, if you could input some of the data, it would be helpful for us to assist you. but @skalliger is correct, you need to fix the group structure. cat=(?<cat>.*) perhaps, however that is greedy and you'd likely want to edit it to match your data

'rex' command in 6.6.2 Splunk

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms