All Apps and Add-ons

create new field with REST API of splunk

snigdha9nov
Engager

I am new in splunk... I am trying to create a new field(want to give a name as "gen") from raw events of train.csv (mydataset) by using regular expression of splunk REST api . my same regualar expression is working well in splunk web page but getting parenthesis error .
here is my code
curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/export -d search="search source=train.csv |rex field=_raw '^(?:[^,\n]*,){5}(?P\w+,)'| top gen"

but getting error
FATAL">Error in 'rex' command: Encountered the following error while compiling the regex ''^(?:[^': Regex: missing closing parenthesis

I have checked no parenthesis missing...please help me to get right code

Tags (1)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @snigdha9nov,

You can try below command which works fine and it will extract field called extracted_field

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/export -d search="search source=train.csv |rex field=_raw \"^(?:[^,\n]*,){5}(?P<extracted_field>\w+,)\"| top gen"

For example I am running below query in my lab to extract IP address from _internal index and it is working fine.

curl -vk -u admin:mypass https://localhost:8089/services/search/jobs/export -d search="search index=_internal source=*splunkd.log | rex \"from\s(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\"
0 Karma

snigdha9nov
Engager

fieldOrder>

thanks a lot ...but I am unable to see the result

gen
count
percent
_tc

Configuration initialization for /Applications/Splunk/etc took 19ms when dispatching a search (search ID: 1548407977.58)
base lispy: [ AND source::train.csv ]

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you look at the document https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTREF/RESTsearch#search.2Fjobs.2Fexport then it is saying that search/jobs/export will stream results as they become available, if you want to search the data and then retrieve result once job will complete then use other rest endpoint

For example:

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs -d search="search source=train.csv |rex field=_raw \"^(?:[^,\n]*,){5}(?P<extracted_field>\w+,)\"| top gen" -d id=mysearch -d earliest_time=-15m@m

And to retrieve results in another request

curl -k -u admin:mypassword https://localhost:8089/services/search/jobs/mysearch/results --get -d output_mode=json
0 Karma

snigdha9nov
Engager

curl -k -u admin:password https://localhost:8089/services/search/jobs/1548409940.125/results --get -d output_mode=json

why getting this
{"messages":[{"type":"FATAL","text":"Unknown sid."}]}

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

From where you got this SID 1548409940.125 ? If you do not want to rely on Splunk generated SID then you can supply user friendly SID name (-d id=mysearch) when firing search, see example I have given above and use that SID to retrieve results.

0 Karma

snigdha9nov
Engager

{"preview":false,"init_offset":0,"post_process_count":0,"messages":[],"results":

I

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

This means that query didn't find any matching events, please wider your time span.

0 Karma

snigdha9nov
Engager

DEBUG">Configuration initialization for /Applications/Splunk/etc took 19ms when dispatching a search (search ID: 1548416060.239)
base lispy: [ AND source::train.csv ]

still facing this problem

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...