0
votes

what am I doing wrong here??

Splunk QUERY:

index=du sourcetype="du:sbaservice-log" du_service="dugovt4.0" "ERROR=" | rex field=_raw

"INFO\=>CaseFileID\s+(?.*)" | rex field=_raw "INFO\=>Envelope\InstID\s\=\s(?

instID>\d+)"| rex field=_raw "lenderCaseNo\s[(?\d+)]" | rex field=_raw

"Originating\sID:\s+(?\S+)" | rex field=_raw "SBA\sCommand:\s+(?

\S+)" | rex field=_raw "Host:\s+(?\S+)" | rex field=_raw " Base\sGUID:\s+(?

\S+)" | eval BTime = strptime(Begin_time, "%H:%M:%S.%3N") | eval CTime =

strptime(Completion_time, "%H:%M:%S.%3N") | eval ResTime=CTime-BTime

Also I am not getting the value of CASEFILEID data

ERROR: I get an error:-Error in 'rex' command: Encountered the following error while compiling the

regex 'INFO\=>Envelope\InstID\s\=\s(?instID>\d+)': Regex: unrecognized character follows .

DATA in the LOG:

11/21/2019 12:22:01.817 INFO=>Executing workflow...

11/21/2019 12:22:01.817 INFO=>CaseFileID 1427667459

11/21/2019 12:22:01.817 INFO=>Creating task 1003ToCLDF

11/21/2019 12:22:01.818 INFO=>Envelope InstID = 12006

1

1 Answers

0
votes

I corrected the regex and I was able to get the results

| rex field=raw "INFO=>CaseFileID\s*(?\d+)"

| rex field=raw "INFO=>Envelope InstID\s*=\s*(?\d+)"