topic Re: Field Extraction With Backslash in Splunk Search

Field Extraction With Backslash

michaeldeck — Thu, 07 Dec 2017 15:37:51 GMT

I am attempting to extract a user field from a log file using the following regex:

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+)

Here is a sample event:
"Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"

This regex works correctly in regex101 and returns only the username as desired "username". This doesn't find a match in Splunk and I can only seem to get the extraction to work if I omit the backslash and extract the user field as "DOMAIN\username". What is the correct syntax in Splunk to escape a backslash?

Re: Field Extraction With Backslash

harsmarvania57 — Thu, 07 Dec 2017 15:43:47 GMT

Try three back-slash

This one is working perfectly fine.

| makeresults 
| eval _raw="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"
| rex "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\(?P<user>[^,]+)"

Re: Field Extraction With Backslash

somesoni2 — Thu, 07 Dec 2017 15:44:38 GMT

Just use 3 backslash, like this

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\(?P<user>[^,]+)

Re: Field Extraction With Backslash

michaeldeck — Tue, 29 Sep 2020 17:10:00 GMT

3 backslashes in the field extraction give me the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?ms)(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P[^,]+)': Regex: unmatched closing parenthesis

In the error, it also seems to add more backslashes even though I only have 3 in my original regex.

Re: Field Extraction With Backslash

michaeldeck — Tue, 29 Sep 2020 17:10:05 GMT

Your suggestion works in regular search, but I receive the following error within the field extraction:

Re: Field Extraction With Backslash

harsmarvania57 — Thu, 07 Dec 2017 16:07:12 GMT

When I tried in my splunk instance with you regex (?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+), it's working perfectly fine and I have indexed sample data which you have provided and it is extracting user field.

Are you providing sourcetype OR source with correct value while creating field extraction?

Re: Field Extraction With Backslash

michaeldeck — Thu, 07 Dec 2017 16:10:48 GMT

I am providing sourcetype.

Re: Field Extraction With Backslash

sbbadri — Tue, 29 Sep 2020 17:10:11 GMT

@michaeldeck

please try this,

| makeresults | eval test="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111" | rex field=test "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+\w+.(?P<user>[^,]+)"

Re: Field Extraction With Backslash

somesoni2 — Thu, 07 Dec 2017 16:30:30 GMT

Actually try with 4 backslash only.

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\\(?P<user>[^,]+)

Re: Field Extraction With Backslash

wenthold — Thu, 07 Dec 2017 16:35:24 GMT

Try using \x5c:

user:\s+DOMAIN\x5c(?P<user>[^\,]+)