Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex command causing the search to not work - unknown search command

ssjabid
Explorer
‎09-18-2019 04:22 AM

Hi People,

I am trying to run a regex command to cut out a part of the REQ field,
On regex 101 it is working fine, however on Splunk it is causing problems and i get an unknown search command error

Here is the query i am using, 

index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST" 
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page

I do not want the regex command to cut out pages with numbers in them, so i've included [^0-9] in there which works on regex 101 but Splunk does not like it, even when i use a backslash to block it out but it still doesn't pull out the data,

I've also tried using 

index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST" 
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?<page>[a-zA-Z_]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page

but this gives me the unknown search command :a error

Any help would be greatly appreciated,
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2019 05:19 AM

Hi ssjabid,
did you tried with quotes in rex command?

| rex "REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\""

Optiion field=_raw isn't important.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

janispelss
Path Finder
‎09-18-2019 05:47 AM

The rex command requires quotation marks around the regex expression.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Required_arguments

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2019 05:19 AM

Hi ssjabid,
did you tried with quotes in rex command?

| rex "REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\""

Optiion field=_raw isn't important.

Bye.
Giuseppe

Reply
Solved! Jump to solution

ssjabid
Explorer
‎09-18-2019 08:01 AM

Managed to get it working 🙂 this did help! thank you!

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-18-2019 04:42 AM

@ssjabid

Can you please share sample data???

0 Karma
Reply
Solved! Jump to solution

ssjabid
Explorer
‎09-18-2019 04:47 AM

REQ="././././switches" EVC="EVT_TRACE" EID="securityfilter.request" DIP="" CLS="" 4ReqURI="///*/api/v1/switches"

so i am trying to capture the switches part in REQ however sometimes when a log appears with a number would appear instead, i would like to ignore that, but [^0-9] doesn't happen to work

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...