topic Re: regex not working in Splunk Search

regex not working

reverse — Thu, 13 Jun 2019 19:00:47 GMT

not working in splunk.

Error in 'rex' command: Encountered the following error while compiling the regex '(?<v1>.+:\.+?\(.+?)\.+)': Regex: unmatched closing parenthesis

saurabhkharkar — Thu, 13 Jun 2019 19:06:38 GMT

what are you trying to parse ?

reverse — Thu, 13 Jun 2019 19:09:36 GMT

I want to extract DEF.

reverse — Thu, 13 Jun 2019 19:10:10 GMT

jazzypai — Thu, 13 Jun 2019 19:20:04 GMT

Do you want to extract DEF or do you want to extract the name of the second directory, where DEF is located?

reverse — Thu, 13 Jun 2019 19:21:10 GMT

name of the second directory

saurabhkharkar — Thu, 13 Jun 2019 19:24:00 GMT

| makeresults
| eval string ="c:\ABC\DEF\LOGS\1.LOG"
| rex field=string ".*?\\\\\w+\\\(?<extract_attribute>\w+).+"
| table string extract_attribute

jazzypai — Thu, 13 Jun 2019 19:24:09 GMT

Try out the following as for regex101.com

(?<drive>\w)\:\\(?<first>[\w]+)\\(?<second>[\w]+)\\(?<third>[\w]+)\\(?<filename>[\d\w\.]+)

Try this out in splunk;

 | rex field=string "(?<drive>\w)\:\\\(?<first>[\w]+)\\\(?<second>[\w]+)\\\(?<third>[\w]+)\\\(?<filename>[\d\w\.]+)"

This will parse the entire path that you listed.

Vijeta — Thu, 13 Jun 2019 19:32:02 GMT

@reverse - A backslash seems to be misplaced in your expression. It should be '(?<v1>.+:\.+?\(.+?\).+)':