- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: rex error help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex error help
The regular expression is correct according to RegExr, but i keep on getting this error
Error in 'rex' command: Encountered the following error while compiling the regex 'count(domain)=(?<count(domain)>.*)': Regex: syntax error in subpattern name (missing terminator)
Here is what i have in Splunk Search:
rex field=_raw "count(domain)=(?<count(domain)>.*)"
Thanks guys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
try this search code :
...................................|rex field=_raw "count\(domain\)\=(?<count_domain>[^\,]+)"|table count_domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (run anywhere)
index="AAAA" source="BBBB" | rex field=_raw "count\(domain\)=(?<domain_count>.*)," | rename domain_count as count(domain)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help
^^
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample log
05/20/2014 00:00:00 +0900, search_name=AAAAA, search_now=1400606400.000, info_min_time=1400511600.000, info_max_time=1400598000.000, info_search_time=1400606401.123, count(domain)=744788, date_wday=tuesday
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ilove275,
brackets inside the rex field name cause the syntax issue.changing the field name count(domain) to domain_count would help u solving the issue.
rex field=_raw "count\(domain\)=(?<domain_count>.*)"
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it doesn't come out the File name "domain_count" when I use "Rename" commamd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field name's "count(domain)" not "domain_count"
My Splunk Search
index="AAAA" source="BBBB" | rex field=_raw "count(domain)=(?
error
Error in 'rex' command: Encountered the following error while compiling the regex 'count(domain)=(?
Thanks rakesh_498115
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and don't forget to append a " at the end of the regex command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide some sample events please?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
