Splunk error specify atleast one named group

Question

I am executing below splunk query.

index=api sourcetype=api-warn environ::api-prod* 
| bin _time span=1h
| rex mode=sed field=service_name "s#\..*$##" | rex field=requestPath "https://api.com.org.net/(abc)/(def)"
| stats count(service_name) by _time,service_name

Getting below error: Error in 'rex' command: The regex 'https://api.com.org.net/(abc)/(def)' does not extract anything. It should specify at least one named group. Format: (?...).

Suppose, one of the url is:

https://api.com.org.net/abc/def/some_number/?key=value&key=value

My regular expression:

https:\/\/(<api\.com\.org\.net\/abc\/def>*)

My regular expression does not match url, Could someone help out.

Not sure what is the issue here. I am using regex to match part of url abc/def in url'. Not sure what is going wrong. Can some one direct me in proper direction?

score 0 · Answer 1 · answered Mar 20 '20 at 19:48

0

The rex command requires at least one capture group of the form (?<fieldname>...) where 'fieldname' is a Splunk field name and '...' is a regular expression. If you just want to filter data instead of extract fields, use the regex command, instead.

answered Mar 20 '20 at 19:48

RichG

9,063
2
18
29

Splunk error specify atleast one named group

1 Answers1