- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: 'rex' command in 6.6.2 Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to use the 'rex' command in one of our searches but not successful, the same search was working 1 month back before upgrade, now it stopped. Any help please?
It throws me an error as ERROR SearchOperator:rex - Error in 'rex' command: Encountered the following error while compiling the regex '(?is) cat=(?.*?) sourceServiceName=': Regex: unrecognized character after (? or (?-
Below is the command I use,
sourcetype=***bla blaa***
| rex field=_raw "(?is) cat=(?.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?.*?) fname="
| rex field=_raw "(?is) msg=(?.*?) suser="
| rex field=_raw "(?is) suser=(?.*?) cat="
| table _time Suser Cat Duser Msg act
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit: the code block isn't quite working correctly and the formatting is messed up the first try. Hopefully this fixes it.
sourcetype=bla blaa
| rex field=_raw "(?is) cat=(?<cat>.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?<duser>.*?) fname="
| rex field=_raw "(?is) msg=(?<msg>.*?) suser="
| rex field=_raw "(?is) suser=(?<suser>.*?) cat="
| table _time Suser Cat Duser Msg
I'm pretty sure it would be better to combine these where you can, instead of running multiple REX commands, for example:
| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=" | rex field=_raw "(?is) duser=(?<duser>.*?) fname="
I can't tell where duser is in the _raw field (assuming it's in the same message) but you can probably combine this all into one rex command:
| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=.*? duser=(?<duser>.*?) fname="
or
| rex field=_raw "(?is)duser=(?<duser>.*?) fname=.*? msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with the parser; what in the world is (?.*?) supposed to do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit: the code block isn't quite working correctly and the formatting is messed up the first try. Hopefully this fixes it.
sourcetype=bla blaa
| rex field=_raw "(?is) cat=(?<cat>.*?) sourceServiceName="
| rex field=_raw "(?is) duser=(?<duser>.*?) fname="
| rex field=_raw "(?is) msg=(?<msg>.*?) suser="
| rex field=_raw "(?is) suser=(?<suser>.*?) cat="
| table _time Suser Cat Duser Msg
I'm pretty sure it would be better to combine these where you can, instead of running multiple REX commands, for example:
| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=" | rex field=_raw "(?is) duser=(?<duser>.*?) fname="
I can't tell where duser is in the _raw field (assuming it's in the same message) but you can probably combine this all into one rex command:
| rex field=_raw "(?is)msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName=.*? duser=(?<duser>.*?) fname="
or
| rex field=_raw "(?is)duser=(?<duser>.*?) fname=.*? msg=(?<msg>.*?) suser=(?<suser>.*?) cat=(?<cat>.*?) sourceServiceName="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The field=_raw is an implied default.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(?.?)
That right there. It's an incomplete group structure. That won't work.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i suggest going to regex101.com and putting in some sample data and working out the regex. otherwise, if you could input some of the data, it would be helpful for us to assist you. but @skalliger is correct, you need to fix the group structure. cat=(?<cat>.*) perhaps, however that is greedy and you'd likely want to edit it to match your data
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
