https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494902#M137952 <P>sorry, did you tried with </P> <PRE><CODE>| rex field=source "\\(?&lt;log_name&gt;\w+\.\w+)$" </CODE></PRE> <P>?<BR /> As you can see in regex101, it extracts all the requested filenames that are after tha last backslash.</P> <P>Bye.<BR /> Giuseppe</P> Thu, 10 Oct 2019 15:13:15 GMT gcusello 2019-10-10T15:13:15Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494898#M137948 <P>Hey Splunkers,</P> <P>Noob. Trying to only retrieve the log names (ex. utility.log) after the last slash</P> <P><STRONG>blah\blah\blah\logs\error.log<BR /> blah\blah\blah\logs\audit.log<BR /> blah\blah\blah\logs\utility.log<BR /> blah\blah\blah\logs\service.log<BR /> blah\blah\blah\logs\servlet.log</STRONG></P> <P>Does anyone have any ideas as to why my regex returns the error below? Thanks all!</P> <PRE><CODE>| rex field=source "\\\([^\\\]+)$" </CODE></PRE> <P>Error in 'rex' command: Encountered the following error while compiling the regex '([^]+)$': Regex: missing terminating ] for character class.</P> <P>P.S. The regex I am using above worked on regex 101</P> Thu, 10 Oct 2019 12:31:26 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494898#M137948 spluzer 2019-10-10T12:31:26Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494899#M137949 <H5>CORRECTION</H5> <P>Some text got cut out in posting<BR /> MY SPLUNK QUERY/REGEX IS THIS:</P> <P>| rex field=source "\([^\]+)$"</P> Thu, 10 Oct 2019 12:37:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494899#M137949 spluzer 2019-10-10T12:37:56Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494900#M137950 <P>Hi spluzer,<BR /> try this</P> <PRE><CODE>\\(?&lt;log_name&gt;\w+\.\w+)$ </CODE></PRE> <P>that you can test at <A href="https://regex101.com/r/kUsfJu/1">https://regex101.com/r/kUsfJu/1</A></P> <P>Bye.<BR /> Giuseppe</P> Thu, 10 Oct 2019 13:16:36 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494900#M137950 gcusello 2019-10-10T13:16:36Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494901#M137951 <P>Sorry, I should have been more clear. I need to capture everything after the last slash for all 5 logs. </P> <P>error.log<BR /> audit.log<BR /> utility.log<BR /> service.log<BR /> servlet.log</P> <P>Moreover, I couldn't get what you sent (entering the log name in individually) to work in regex 101 or splunk. </P> <P>Thanks!</P> Thu, 10 Oct 2019 15:05:55 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494901#M137951 spluzer 2019-10-10T15:05:55Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494902#M137952 <P>sorry, did you tried with </P> <PRE><CODE>| rex field=source "\\(?&lt;log_name&gt;\w+\.\w+)$" </CODE></PRE> <P>?<BR /> As you can see in regex101, it extracts all the requested filenames that are after tha last backslash.</P> <P>Bye.<BR /> Giuseppe</P> Thu, 10 Oct 2019 15:13:15 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494902#M137952 gcusello 2019-10-10T15:13:15Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494903#M137953 <P>Thanks. it required 3 slashes after the first quote.. and then it worked..thanks again! For some reason the 3rd slash (which I assume you posted) gets cut off when posting to the forum </P> <P>| rex field=source "\(?\w+.\w+)$"</P> Thu, 10 Oct 2019 15:31:14 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494903#M137953 spluzer 2019-10-10T15:31:14Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494904#M137954 <P>lol...it did it again !! THIS IS THE CORRECT ONE:</P> <P>| rex field=source "\\(?\w+.\w+)$"</P> Thu, 10 Oct 2019 15:33:47 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494904#M137954 spluzer 2019-10-10T15:33:47Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494905#M137955 <P>| rex field=source "\\(?\w+.\w+)$"</P> Thu, 10 Oct 2019 15:35:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494905#M137955 spluzer 2019-10-10T15:35:19Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494906#M137956 <P>| rex field=source "\\(?\w+.\w+)$</P> Thu, 10 Oct 2019 15:36:33 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494906#M137956 spluzer 2019-10-10T15:36:33Z https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494907#M137957 <P>lol...oh well i guess i cant post the correct code. it keeps getting overwritten during posting . anyway thanks Giuseppe. what you have is correct it just requires 3 slashes after the first quote </P> Thu, 10 Oct 2019 15:38:38 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-regex-error-Missing-terminating-for-character-class/m-p/494907#M137957 spluzer 2019-10-10T15:38:38Z