Getting Error as "Regex: syntax error in subpattern name (missing terminator)." in SPLUNK

1
votes

I have been extracting fields in Splunk and this looks to be working fine for all headers but for the header l-s-m, I am getting the error as "syntax error in subpattern name (missing terminator)."

I have done similar for other headers and all works but this is the only header with "hypen" sign that is giving this error, I have tried multiple times but this is not helping.

Headers:

Content-Type: application/json
Accept: application/json,application/problem json
l-m-n: txxxmnoltr 
Accept-Encoinding:gzip

Regex I am trying is "rex field=u "l-m-n: (?<l-m-n>.*)" in SPLUNK. Could you please guide me here?

1
splunksplunk-query

1 Answers

1
votes

rex cannot extract into a field name with hyphens. However, you can solve this with rename

| rex field=u "l-m-n: (?<lmn>.*)" | rename lmn AS "l-m-n"

In general, I would avoid the use of hyphens in a field name, as it can be mistaken for a minus. If you want to use the field l-m-n, you will need to quote it everywhere, like 'l-m-n' . I would strongly suggest you stick with using the field name lmn.

Try running the following to see what I mean

| makeresults | eval l-m-n=10 | eval l=1 | eval m=1 | eval n=1 | eval result_noquote=l-m-n | eval result_quoted='l-m-n'