- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Re: Issue: I haved added rex in our web data mo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue: I haved added rex in our web data model app but it is show error
Hello Sir ,
I am having issue with the Splunk App for Web data model... but not sure where the problem is.
I have replaced regex in our data model .json file but it is not working.
In our data model , we have some field (date, time , decision_list) and added Rex in expression like
Rex:
"expression": "^([\w]+-)(?
{
"outputFields": [
{
"fieldName": "Description",
"owner": "Event",
"type": "string",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "Description",
"comment": "",
"fieldSearch": ""
}
],
"inputField": "decision_list",
"calculationID": "asdfassdfg",
"owner": "Event",
"editable": true,
"comment": "",
"calculationType": "Rex",
"expression": " ^([\w]+-)(?
},
when I am searching in Dashboard so facing Error in Dashboard :
Error:
"Error in 'PivotProcessor': Error in 'DataModelEvaluator': JSON for data model 'Web_Acc_Data' is invalid."
This regex is working perfectly in regex editor.
Someone has any clue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you are taking the standard 'Web' datamodel that comes with Splunk_SA_CIM and updating the Web.json file.
What's your use case/requirement? If you want to edit any calculated fields, you can do the same via GUI [ Settings -> Datamodels and select the datamodel, and edit it and validate them before saving it]
https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Managedatamodels
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have our own web security reporting APP . it is working fine with below regex.
^([^\_\-]+)\_([^\-]+)-(?
but i have replaced with below regex which is not working
^([\w]+-)(?
i have input field decision_list which is used for output field description
here decision_list = DECR_WEB_7-webGroup-SH_Auth-DefaultGroup-NONE-NONE-DefaultGroup
description = webGroup ---->expecting field description value so write regex expression but it is not working
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
