https://community.splunk.com/t5/Splunk-Search/Having-trouble-with-rex-matching-wildcards-with-escaped-double/m-p/640859#M222034 <P class="lia-align-left">Hi there, I am having some trouble matching patterns from a search string using the rex command.</P><P class="lia-align-left">I will show the message I am trying to search on, as well as several rex statements that I am using to find and extract certain bits of data (denoted by asterisks) into fields that I use in a table statement. rex statements matching wildcards populated by digits works fine, but I'm not able to match and extract data matching asterisks when they&nbsp; are within quotes even if I escape them.</P><P class="lia-align-left"><STRONG>| search Message="Error in breakfast table *, table name \"*\". The quick brown fox jumped over the lazy dog. The maximum length of the \"*\" data is currently set to * hotdogs, but the bun length is * inches. Increase the maximum length of the \"*\" bun to at least * inches and retry.*"</STRONG><BR /><STRONG>| rex "Error in breakfast table (?&lt;breakfast_table&gt;\d+)" | rename breakfast_table as "BT"</STRONG></P><P class="lia-align-left"><STRONG>| rex "table name \"(?&lt;table_name&gt;[^\"]*)\"" | rename table_name as "TN"</STRONG><BR /><STRONG>| rex "maximum length of the \"(?&lt;max_bunlength&gt;[^\"]*)\"" | rename max_bunlength as "MB"</STRONG></P><P class="lia-align-left"><STRONG>| rex "data is currently set to (?&lt;current_length&gt;\d+)" | rename current_length as "Current Length"</STRONG></P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">I am able to pattern match correctly on asterisks because they just represent number values. I am having trouble with asterisks within double quotes. For example, a real message may show "AB" or "Z" but this line will not match it, even though I have confirmed on regex101 that it should be matching the letters AB or Z correctly -&gt; <STRONG>| rex "table name \"(?&lt;table_name&gt;[^\"]*)\"" | rename table_name as "TN"</STRONG></P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">Any suggestions on this?</P> Thu, 20 Apr 2023 16:03:14 GMT weropitjpoerit 2023-04-20T16:03:14Z https://community.splunk.com/t5/Splunk-Search/Having-trouble-with-rex-matching-wildcards-with-escaped-double/m-p/640859#M222034 <P class="lia-align-left">Hi there, I am having some trouble matching patterns from a search string using the rex command.</P><P class="lia-align-left">I will show the message I am trying to search on, as well as several rex statements that I am using to find and extract certain bits of data (denoted by asterisks) into fields that I use in a table statement. rex statements matching wildcards populated by digits works fine, but I'm not able to match and extract data matching asterisks when they&nbsp; are within quotes even if I escape them.</P><P class="lia-align-left"><STRONG>| search Message="Error in breakfast table *, table name \"*\". The quick brown fox jumped over the lazy dog. The maximum length of the \"*\" data is currently set to * hotdogs, but the bun length is * inches. Increase the maximum length of the \"*\" bun to at least * inches and retry.*"</STRONG><BR /><STRONG>| rex "Error in breakfast table (?&lt;breakfast_table&gt;\d+)" | rename breakfast_table as "BT"</STRONG></P><P class="lia-align-left"><STRONG>| rex "table name \"(?&lt;table_name&gt;[^\"]*)\"" | rename table_name as "TN"</STRONG><BR /><STRONG>| rex "maximum length of the \"(?&lt;max_bunlength&gt;[^\"]*)\"" | rename max_bunlength as "MB"</STRONG></P><P class="lia-align-left"><STRONG>| rex "data is currently set to (?&lt;current_length&gt;\d+)" | rename current_length as "Current Length"</STRONG></P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">I am able to pattern match correctly on asterisks because they just represent number values. I am having trouble with asterisks within double quotes. For example, a real message may show "AB" or "Z" but this line will not match it, even though I have confirmed on regex101 that it should be matching the letters AB or Z correctly -&gt; <STRONG>| rex "table name \"(?&lt;table_name&gt;[^\"]*)\"" | rename table_name as "TN"</STRONG></P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">Any suggestions on this?</P> Thu, 20 Apr 2023 16:03:14 GMT https://community.splunk.com/t5/Splunk-Search/Having-trouble-with-rex-matching-wildcards-with-escaped-double/m-p/640859#M222034 weropitjpoerit 2023-04-20T16:03:14Z https://community.splunk.com/t5/Splunk-Search/Having-trouble-with-rex-matching-wildcards-with-escaped-double/m-p/640890#M222052 <P>To help with rex questions we really need to see example data.&nbsp; Please share sanitized events.</P> Thu, 20 Apr 2023 18:20:03 GMT https://community.splunk.com/t5/Splunk-Search/Having-trouble-with-rex-matching-wildcards-with-escaped-double/m-p/640890#M222052 richgalloway 2023-04-20T18:20:03Z https://community.splunk.com/t5/Splunk-Search/Having-trouble-with-rex-matching-wildcards-with-escaped-double/m-p/640904#M222059 <P>I can't share the _raw event I used but I can mention how I was able to solve this issue.</P><P>&nbsp;</P><P>I went through the Extract New Fields process, highlighted the bit of information I needed like so -&gt; \"<FONT color="#FF0000">author</FONT>\", viewed the generated regex, opened it in search so I could see the full |rex command that was generated, and used that.</P> Thu, 20 Apr 2023 19:13:55 GMT https://community.splunk.com/t5/Splunk-Search/Having-trouble-with-rex-matching-wildcards-with-escaped-double/m-p/640904#M222059 weropitjpoerit 2023-04-20T19:13:55Z