https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197203#M56951 <P>I didn't really understand you data, but the follwing <CODE>rex</CODE> will extract the username part of a <CODE>domain\user</CODE> type string. Assuming the field is called "domain_user" and contains the value <CODE>acme\bob</CODE> </P> <PRE><CODE>... | rex field = domain_user "[^\\\\]+\\\\(?&lt;user&gt;.*)" </CODE></PRE> <P>should extract <CODE>bob</CODE> into the field <CODE>user</CODE>.</P> <P>/K</P> <P>EDIT: corrected the number of backslashes required.</P> Wed, 27 Aug 2014 19:21:27 GMT kristian_kolb 2014-08-27T19:21:27Z https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197202#M56950 <P>Hi,</P> <P>I want to create a new field, from a string, showing the domain user, where the only constant is "\" which I don't want included.</P> <P>Sample input:</P> <P>(no field either side of "\" is predictable)</P> <P>12345\alice<BR /> 45632\__test_account__<BR /> PC123\bob</P> <P>My search:</P> <PRE><CODE>index="dc_report" | rex field=domain_user "(?&lt;user&gt;^.*\\(.*$))" </CODE></PRE> <P>This results in unmatched parentheses. Is there a way to use &amp;#92 (hmtl "\") instead of negation?</P> <P>The other route is to use the index of "\" and then select to the right. Unsure of what functions to use/how to use them. </P> Wed, 27 Aug 2014 18:32:56 GMT https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197202#M56950 jdbtee 2014-08-27T18:32:56Z https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197203#M56951 <P>I didn't really understand you data, but the follwing <CODE>rex</CODE> will extract the username part of a <CODE>domain\user</CODE> type string. Assuming the field is called "domain_user" and contains the value <CODE>acme\bob</CODE> </P> <PRE><CODE>... | rex field = domain_user "[^\\\\]+\\\\(?&lt;user&gt;.*)" </CODE></PRE> <P>should extract <CODE>bob</CODE> into the field <CODE>user</CODE>.</P> <P>/K</P> <P>EDIT: corrected the number of backslashes required.</P> Wed, 27 Aug 2014 19:21:27 GMT https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197203#M56951 kristian_kolb 2014-08-27T19:21:27Z https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197204#M56952 <P>Hi,</P> <P>Your solution still negates the 2nd "]" resulting in the error message "Regex: missing terminating ] for character class"</P> Wed, 27 Aug 2014 19:30:42 GMT https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197204#M56952 jdbtee 2014-08-27T19:30:42Z https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197205#M56953 <P>My solution, although not sure how cpu intensive this is.</P> <PRE><CODE>index="dc_report"| eval user=mvindex(split(domain_user,"\\"),1) </CODE></PRE> <P>This splits the x\y on the "\" and then passes the output of the 2nd value (i.e. index starts at 0), using mvindex, to the variable "user".</P> Wed, 27 Aug 2014 19:32:20 GMT https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197205#M56953 jdbtee 2014-08-27T19:32:20Z https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197206#M56954 <P>I'd still like to see this done in regex, but it seems Splunk negates any type of parenthesis proceeding a negated backslash, where the online regex testers are unaffected.</P> <P>Do functions have a significant overhead compared to regex?</P> Wed, 27 Aug 2014 19:53:06 GMT https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197206#M56954 jdbtee 2014-08-27T19:53:06Z https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197207#M56955 <P>OOPS. The backslashes need to be escaped twice, i.e. four backslashes.</P> <P>The search language needs escaping <CODE>\\\\</CODE> -&gt; <CODE>\\</CODE><BR /> then rex needs escaping as well <CODE>\\</CODE> -&gt; <CODE>\</CODE></P> <P>Profit!</P> <P>/K</P> Wed, 27 Aug 2014 21:07:23 GMT https://community.splunk.com/t5/Splunk-Search/negate-a-backslash-in-regex-without-negating-other-characters/m-p/197207#M56955 kristian_kolb 2014-08-27T21:07:23Z