https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623787#M216857 <P>I found that this also works</P><P>&nbsp;</P><P><SPAN>rex "Brand\\\=\"(?&lt;brand&gt;.*?)\""</SPAN></P><P>&nbsp;</P><P><SPAN>the triple quotation marks escape the \, the \" surrounding the () handles the quotation marks in the event itself.</SPAN></P> Fri, 09 Dec 2022 04:17:43 GMT retro-bloke 2022-12-09T04:17:43Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623774#M216850 <P>in the raw event there is a line that goes Brand\="xyz"</P> <P>&nbsp;</P> <P>What's the rex command I can use to extract this in my search?</P> <P>&nbsp;</P> <P>If possible, I'd like to remove the \ and "" from the extraction itself.</P> Fri, 09 Dec 2022 19:49:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623774#M216850 retro-bloke 2022-12-09T19:49:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623775#M216851 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252026">@retro-bloke</a>&nbsp;... May i know if you are looking for a rex search query&nbsp;</P><P>or..</P><P>you want to update the props.conf file for the purpose of field extraction, please confirm, thanks.</P> Fri, 09 Dec 2022 00:47:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623775#M216851 inventsekar 2022-12-09T00:47:07Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623776#M216852 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a>, I am looking for a rex search query</P> Fri, 09 Dec 2022 00:48:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623776#M216852 retro-bloke 2022-12-09T00:48:37Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623778#M216853 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252026">@retro-bloke</a>&nbsp;</P><P>Please check this: (you may need to modify little bit, depending on your logs.. if this does not work, pls give us some sample events)</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval temp="the test event is Brand\=\"xyz\"" |rex field=temp "(?P&lt;brand&gt;\w+)\"" |table temp brand</LI-CODE><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rex-brand.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22938i218468E50B375707/image-size/large?v=v2&amp;px=999" role="button" title="rex-brand.png" alt="rex-brand.png" /></span></P> Fri, 09 Dec 2022 01:11:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623778#M216853 inventsekar 2022-12-09T01:11:47Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623787#M216857 <P>I found that this also works</P><P>&nbsp;</P><P><SPAN>rex "Brand\\\=\"(?&lt;brand&gt;.*?)\""</SPAN></P><P>&nbsp;</P><P><SPAN>the triple quotation marks escape the \, the \" surrounding the () handles the quotation marks in the event itself.</SPAN></P> Fri, 09 Dec 2022 04:17:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-contains-backslash-and/m-p/623787#M216857 retro-bloke 2022-12-09T04:17:43Z