topic Re: Regex issue in Splunk Search

Regex issue

approachct — Wed, 11 May 2011 19:52:20 GMT

Having trouble with the below regex generated from the field extractor application
\w+:\\w+\\w+\(?P\w+\\w+)

When added to the search as below
index=utility sourcetype="componentcheck"|rex field=FILENAME \w+:\\w+\\w+\(?P\w+\\w+)

and example input of
d:\A\B\C\D\E\F.dll (there are back slashes between each letter)

I get an two of the same errors -
Error in 'rex' command: Encountered the following error while compiling the regex '\w+:\w+\w+(?P\w+\w+)': Regex: unmatched parentheses

What am I doing wrong?

Re: Regex issue

Lamar — Wed, 11 May 2011 20:15:22 GMT

I would write this a bit differently, more importantly you seem to be missing a backslash before your word-ish chunk after your field name (?P<area>\w+\w+)

Additionally, you might get it to evaluate a bit better if you write it this way:

[a-zA-Z]{1}\:\\\w+\\\w+\\(?P<area>\w+\\\w+)

I'm not sure if that's what you're trying to extract, but you get the general idea. And maybe I'm just a creature of habit but I like to put double quotes around my regex:

index=utility sourcetype="componentcheck"|rex field=FILENAME "[a-zA-Z]{1}\:\\\w+\\\w+\\(?P<area>\w+\\\w+)"

Re: Regex issue

approachct — Wed, 11 May 2011 20:21:33 GMT

Thanks, I copied your regex exactly, quotes and all, but I am still getting the below error with the suggested regex.
Error in 'rex' command: Encountered the following error while compiling the regex '[a-zA-Z]{1}:\w+\w+(?P\w+\w+)': Regex: unmatched parentheses

Re: Regex issue

Lamar — Wed, 11 May 2011 20:32:58 GMT

The "indexer/search head" is on Windows...yes?

Re: Regex issue

approachct — Thu, 12 May 2011 15:34:44 GMT

No the indexer is Linux

Re: Regex issue

tpflicke — Sun, 24 Nov 2013 15:03:54 GMT

The confusing/awkward bit is the escaping of backslash in regular expressions, see here, in short to match a literal \ you need \\\\

Below are a couple of solutions of how to extract the basename - anything surrounding the rex clause if just test framework.

| metadata type=sourcetypes | head 1 | eval FILENAME="d:\\A\\B\\C\\D\\E\\F.dll"  | rex field=FILENAME "[a-z]:.*\\\\(?<area>\w+\.\w+)" | table FILENAME, area

| metadata type=sourcetypes | head 1 | eval FILENAME="d:\\A\\B\\C\\D\\E\\F.dll"  | rex field=FILENAME "[a-zA-Z]\:\\\\(\w+\\\\)*(?<area>\w+\.\w+)" | table FILENAME, area

Re: Regex issue

cstump_splunk — Thu, 28 Dec 2017 20:00:56 GMT

The first parenthesis is escaped: (
The regex engine thinks that there is an unmatched closing parenthesis at the end of your expression.

Re: Regex issue

landen99 — Tue, 04 Sep 2018 16:51:06 GMT

Sample regex has many issues:

\w+:\\\w+\\\w+\(?P\w+\\\w+)

While the sample regex fails to escape the backslash correctly or name the capture group, here is what I think that you are trying to match:

| stats count | eval FILENAME="d:\\A\\B\\C\\D\\E\\F.dll"  | rex field=FILENAME "(\w+[\:\\\]+){3}(?<my_field>\w+\\\+\w+)" | table FILENAME, my_field

Re: Regex issue

kushagra9120 — Sat, 09 Feb 2019 10:14:52 GMT

Try this:-

"[a-zA-Z]:(?:(?:\\[a-zA-Z]){5}\\)(?P[a-zA-Z].\w+)"