Splunk Search

Can you help me with the following error in my 'rex' command?: "The regex '' does not extract anything. It should specify at least one named group. Format: (?...)"

bipin_tiwari
New Member

Hi,

I need to generate a graph that gives me the count of all different type of exceptions occurred during the last 2 days.

I am using the following query with the rex command:

host="amway03-01-apac02-itv-qa*" source="/opt/hybris/log/tomcat/console.log" | rex field=exception "(?:\w*Exception)" | chart count by exception | sort count

But, it's not returning any result rather than giving the following error:

Error in 'rex' command: The regex '(?:\w*Exception)' does not extract anything. It should specify at least one named group. Format: (?...).

Can some one please help me in search query so that I can achieve the desired result

Thanks
Bipin

Tags (4)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@bipin_tiwari

I think you have to mentioned fieldname in rex, which you can use further,

like (?<Exception>:\w*Exception)

Please refer doc for more info.

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex

0 Karma

bipin_tiwari
New Member

Thanks Kamlesh,
but issue still remains open. do I need to adapt any logging pattern so that exception field is created in Splunk log events . I am new to splunk hence would really appreciate if some one can share me the steps to achieve my business objective which is to table the list of all exception occurred with their count and generate graph for given period of time .

Thanks
Bipin

0 Karma

javiergn
SplunkTrust
SplunkTrust

If I am not mistaken, you would like to extract from your RAW event into a field named EXCEPTION, correct?
If that's the case then your syntax is incorrect and should be:

| rex field=_raw "(?<exception>\w*Exception)"

Your rex is trying to extract from an existing field named exception, but there isn't any named group in your regular expression (which is what the syntax "?:" is doing).

Hope that helps,
J

javiergn
SplunkTrust
SplunkTrust

Hi @bipin_tiwari, please don't forget to mark the answer as accepted if you are happy with it so that we can close this question.

Regards,
J

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...