topic Re: Why is the following regex expression not matching as expected? in Splunk Search

Why is the following regex expression not matching as expected?

SunilMaharishi — Mon, 17 Sep 2018 18:12:41 GMT

I have a field user= xyz\user11 and i need to match user11 ignoring xyz in the user filed

below is the regex expression we have been trying but it gives error as unmatched parenthesis or some other and Result field is not available in the logs if it runs successfully .

rex field=user (?\w+\\(\w+))

Re: Why is the following regex expression not matching as expected?

pjnike — Mon, 17 Sep 2018 18:55:04 GMT

You have to specify which field to extract the value to. Also, the backslash(\) before opening parenthesis in your query escapes the ( which causes Splunk to give an error of unmatched parenthesis. You need to escape the backslash with \.

Try this: rex field=user "\w+\\\(?<user_name>\w+)"

Re: Why is the following regex expression not matching as expected?

richgalloway — Mon, 17 Sep 2018 18:56:18 GMT

We can't read your rex string because the forum mangled it. To prevent this, put code, HTML, and SPL inside backticks or use the code button (101010).

Backslashes require extra escape characters in regex strings within SPL. Try rex field=user "\\\(?<Result>.*)".

Re: Why is the following regex expression not matching as expected?

SunilMaharishi — Mon, 17 Sep 2018 20:49:49 GMT

that was mistyped fieldname was specified though

but it is working now thank you