While trying to use rex as part of a splunk search I have a regular expression that works fine:
eventtype=my_type | rex field=_raw ".*\[(?<foo>.*?)\].*" | table _time, foo
But when I try to save the search into a dashboard table I get the following error:
Error parsing XML on line 29: Premature end of data in tag form line 1
I know my query is fine because when I click the "Run Search" button while adding it to the dashboard table I get a valid result. But when I click the save button I get the above error.
I suspect the named group capture within the regular expression is throwing off the XML parser.
How do I use a rex regular expression with name capture as part of a dashboard query?
Thank you in advance for your consideration and response.
To use named group capture you have to replace the angle brackets with < and >:
... | rex field=_raw ".*\[(?<foo>.*?)\].*" | ...
Related
I have been extracting fields in Splunk and this looks to be working fine for all headers but for the header l-s-m, I am getting the error as "syntax error in subpattern name (missing terminator)."
I have done similar for other headers and all works but this is the only header with "hypen" sign that is giving this error, I have tried multiple times but this is not helping.
Headers:
Content-Type: application/json
Accept: application/json,application/problem json
l-m-n: txxxmnoltr
Accept-Encoinding:gzip
Regex I am trying is "rex field=u "l-m-n: (?<l-m-n>.*)" in SPLUNK. Could you please guide me here?
rex cannot extract into a field name with hyphens. However, you can solve this with rename
| rex field=u "l-m-n: (?<lmn>.*)" | rename lmn AS "l-m-n"
In general, I would avoid the use of hyphens in a field name, as it can be mistaken for a minus. If you want to use the field l-m-n, you will need to quote it everywhere, like 'l-m-n' . I would strongly suggest you stick with using the field name lmn.
Try running the following to see what I mean
| makeresults | eval l-m-n=10 | eval l=1 | eval m=1 | eval n=1 | eval result_noquote=l-m-n | eval result_quoted='l-m-n'
I have a data which splunk shows, but i dont see a field for what i wanted
"ag-somethin-id":["97234d506-E0ASD-4XXX-AXX0-ASD77757"]
I need to to create a field with ag-somethin-id which should actually give me the all the values under those events and it should show something like:
97234d506-E0ASD-4XXX-AXX0-ASD77757 under this field ag-somethin-id
Till now I have tried using the below, but its not correct:
rex "ag-somethin-id[\\\":]*(?<ag-somethin-id>[^\\[":"]*)"
Please help in fixing this
Please use the below regex
rex field=_raw "\"ag-somethin-id\":\[\"(?<agsomethinid>[^\"]+)\"\]"
|rename agsomethinid as "ag-somethin-id"
I have verified by executing in regex 101 Regex for ag-somethin-id
I'm a newbie to SPlunk trying to do some dashboards and need help in extracting fields of a particular variable
Here in my case i want to extract only KB_List":"KB000119050,KB000119026,KB000119036" values to a column
Expected output:
KB_List
KB000119050,KB000119026,KB000119036
i have tried:
| rex field=_raw "\*"KB_List":(?<KB_List>\d+)\*"
highlighted the part below in the log
svc_log_ERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":"","highestSeverity":"Minor","Source":"hsym-plyfss01","reqEmail":"true","AlertGroup":"TIBCOP","reqPage":"","KB_List":"KB000119050,KB000119026,KB000119036","reqTicket":"true","autoTicket":true,"SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0,"AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP","sentPageTo":"TESTPP"},"Notification":{"":{"requestId":"532938335"}},"":
rex field=_raw "KB_List\":\"(?<KB_List>[^\"])\""
This regular expression will look for anything that begins with KB_List":", the capture everything except a ".
In your example, you are only capturing digits (\d+), whereas the contents in the KB_List field also contain characters ("KB" and ",")
Alas:
I figured out by looking into so many articles:
| rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed
I was given a log from splunk and I want to get a particular data in the middle of the string and use it for the dashboard. For example:
msg="somestring1 somestring2 500 somestring3 ..."
How do I get the value 500?
Sorry, I am not expert in splunk. Thanks in advance
I think what you're looking for is the rex command.
Example usage:
... | rex field=message "\S+ \S+ (?<extracted_field>\d+) \S+" | stats count by extracted_field
I have the following query:
search (...) AND ERROR
| rex field=error "^.*(?<vcbn>Value cannot be null.)$"
| stats count(vcbn) by error
but for whatever reason the stats count(vcbn) by error isn't generating any results.
Additionally, the rex field=error "^.*(?<vcbn>Value cannot be null.)$" isn't building a new field in the list on the left of the event search results.
The search itself returns 170 events.
Splunk Version: 4.3.3
looks like rex command is not able to extract at search time.
Can you provide sample _raw log event or 'error' field from the log event?
Also refer,
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Rex
So after a good bit of research, I found a solution. The first problem was I misunderstood the field parameter for the rex command. It's meant to tell the parser was field to search through. The next thing I had to do was make sure to use the line characters ^ and $. Finally, I had to add the trailing .* to the mix so that it would look through the entire _raw field.
rex "^.*(?<vcbn>Value cannot be null).*$"
| stats count(vcbn)
NOTE: the _raw field is built in.