Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can anyone tell me why I am getting the following search error: "Error in 'rex' command: Invalid argument: 'NOT'"

Harish217
New Member
‎10-11-2018 12:43 PM

Can anyone let me know why I am getting this error?

| rex field=url "(?\w+\.\w+)\/"
    [| inputlookup IOCs-URLs.csv
| stats values(UrL) as url
    | format]
| stats count as NumOTimes by src_ip,url
0 Karma
Reply

splunkerer
Path Finder
‎06-24-2021 06:32 PM

These are mostly because of search order. let me give an example.

If you run this one you will get exact same error message "Error in 'rex' command: Invalid argument: 'NOT'"

 

index=foo OR 
index=bar | spath output=message path=message | rex field=message "dst=(?<remote_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
[| makeresults | eval remote_ip=""
| eval remote_ip=split(remote_ip,",") 
| mvexpand remote_ip
| table remote_ip] 

| stats dc(remote_ip) as total

 


However, if you run the following, no error at all, hope this helps. so problem is not on rex, it is highly likely due to the search logic. 

 

index=foo OR 
index=bar | spath output=message path=message | rex field=message "dst=(?<remote_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
|  search [| makeresults | eval remote_ip=""
| eval remote_ip=split(remote_ip,",") 
| mvexpand remote_ip
| table remote_ip] 

| stats dc(remote_ip) as total

 



0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2018 01:17 PM

The \/ sequence in rex commands requires additional escaping. Try `\\/'.

BTW, if you put your SPL inside backticks (`) or highlight it and click the "101010" button special characters will be preserved and we'll be able to see the full query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Harish217
New Member
‎10-11-2018 01:26 PM

didn't work, still same error - Error in 'rex' command: Invalid argument: 'NOT'

here is my current SPL 

index=xxxx*
| rex field=url "(?<domain>\w+\.\w+)\\/"
    [| inputlookup IOCs-URLs.csv
    | stats values(UrL) as url
    | format]
| stats count as NumOTimes by src_ip,url
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2018 01:51 PM

The general rule of thumb for escape characters in rex is to add more until the command works.
My answer had three backslashes, but your comment only has two. Perhaps that's just a copy error.

I totally missed another problem that could be causing the error. The inputlookup subsearch looks like it's mis-placed. Recall that subsearches execute first and the results are substituted into the main search. So, after your subsearch the main search will look something like index=xxxx* | rex field=url "(?<domain>\w+\.\w+)\\\/" fourtion.com/qyBf2DfGd | stats count as NumOfTime by src_ip,url. See how Splunk would think you have an invalid rex command?

Before we spend too much time debugging the subsearch, please explain what you are trying to do with it. There may be another way to achieve your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Harish217
New Member
‎10-12-2018 05:24 AM

I have tried it with three backslashes as well. No luck!

Here is my scenario, I have had a list of IOCs that I would like to search with our datasets (indexes) to find if any Users tried to reach to those IOCs. as the list of IOCs kept increasing we have created a lookup table with a list of '80+ urls' (without using 'http://') example: fourtion.com/qyBf2DfGd

As I have created the lookup table, now would like to see if any user has accessed these IOCs listed in inputlookup table in Enterprise Security using SLP. let me know if you more information.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2018 05:59 PM

Try this

# This will find any events containing a string from the IOCs-URLs.csv lookup table
index=xxxx* [ | inputlookup IOCs-URLs.csv | return 100 $url ] 
| stats count as NumOfTime by src_ip, url
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Vijeta
Influencer
‎10-11-2018 01:31 PM

Any sample data for url field?

0 Karma
Reply

Harish217
New Member
‎10-11-2018 01:37 PM

here is the sample data from the table IOCs-URLs.csv -
- 'I would suggest not to go to the click or go to this IOC'.

fourtion.com/qyBf2DfGd
0 Karma
Reply

Vijeta
Influencer
‎10-11-2018 01:47 PM

The error is not with rex command , it is because you are usinfg [|inputlookup immediately after rex. Try like this

index=xxxx*
 | rex field=url "(?<domain>\w+\.\w+)\\/" | fields domain url
     [| inputlookup IOCs-URLs.csv
     | stats values(UrL) as url
     | format]
 | stats count as NumOTimes by src_ip,url
0 Karma
Reply

Harish217
New Member
‎10-12-2018 05:37 AM

This SPL didn't give me any error but somehow giving me all events matched but not displaying any results on the Statistics. 

Below is the status from Splunk search :

1,550,000 of 1,550,000 events matched
but - Statistics (0)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...