https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677143#M231542 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/264780">@syk19567</a>,</P><P>it's a bug that I requested to solve for one of our biggest customers:</P><P>if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash.</P><P>If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash).</P><P>so the regex to use in a search is:</P><LI-CODE lang="markup">| rex "\\\\\"submission_id\\\\\":(?&lt;submission_id&gt;\d+)"</LI-CODE><P>instead the regex to use in the extract field (and regex101) is</P><LI-CODE lang="markup">\\\"submission_id\\\":(?P&lt;submission_id&gt;\d+)</LI-CODE><P>In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX.</P><P>As I said, I asked to solve this bug but they didn't give me a date.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 09 Feb 2024 16:53:06 GMT gcusello 2024-02-09T16:53:06Z https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677140#M231539 <P>Hi community,</P><P>I'm using rex to get some strings.</P><P>The log is like</P><LI-CODE lang="markup">\"submission_id\":337901</LI-CODE><P>The regex I'm using is:</P><LI-CODE lang="markup">\"submission_id\\\":(?&lt;subID&gt;\d+)</LI-CODE><P>It works well on regex101:<BR /><A href="https://regex101.com/r/Usr7Ki/1" target="_blank">https://regex101.com/r/Usr7Ki/1</A><BR /><BR />However, in Splunk, it doesn't find anything.<BR />The command is (just added double quotes to wrap the regex)</P><LI-CODE lang="markup">rex "\"submission_id\\\":(?&lt;subID&gt;\d+)"</LI-CODE><P>&nbsp;Any ideas and suggestions are appreciated!</P> Fri, 09 Feb 2024 16:39:35 GMT https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677140#M231539 syk19567 2024-02-09T16:39:35Z https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677142#M231541 <P>You need to double up on some of your backslashes</P><LI-CODE lang="markup">| rex "\\\"submission_id\\\\\":(?&lt;subID&gt;\d+)"</LI-CODE><P>Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time</P> Fri, 09 Feb 2024 16:46:45 GMT https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677142#M231541 ITWhisperer 2024-02-09T16:46:45Z https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677143#M231542 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/264780">@syk19567</a>,</P><P>it's a bug that I requested to solve for one of our biggest customers:</P><P>if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash.</P><P>If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash).</P><P>so the regex to use in a search is:</P><LI-CODE lang="markup">| rex "\\\\\"submission_id\\\\\":(?&lt;submission_id&gt;\d+)"</LI-CODE><P>instead the regex to use in the extract field (and regex101) is</P><LI-CODE lang="markup">\\\"submission_id\\\":(?P&lt;submission_id&gt;\d+)</LI-CODE><P>In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX.</P><P>As I said, I asked to solve this bug but they didn't give me a date.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 09 Feb 2024 16:53:06 GMT https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677143#M231542 gcusello 2024-02-09T16:53:06Z https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677144#M231543 <P>This blows my mind and I'm kinda lost. But this really works!! Thank you!</P> Fri, 09 Feb 2024 16:53:21 GMT https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677144#M231543 syk19567 2024-02-09T16:53:21Z https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677145#M231544 Rule of thumb in splunk with rex. Add \-characters until it works <span class="lia-unicode-emoji" title=":winking_face:">😉</span> Fri, 09 Feb 2024 16:55:15 GMT https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677145#M231544 isoutamo 2024-02-09T16:55:15Z https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677152#M231547 <P>Thank you&nbsp;<SPAN>Giuseppe, this is very informative!</SPAN></P> Fri, 09 Feb 2024 17:31:28 GMT https://community.splunk.com/t5/Splunk-Search/Regex-works-on-regex101-but-not-splunk/m-p/677152#M231547 syk19567 2024-02-09T17:31:28Z