Why is my rex command not working?

rajasplunk89 · ‎09-13-2022

Hi all,

I am trying to extract field ABDEF-999 in the name Id. But its not extracting when I use below commands. Could someone guide on what's the mistake in following rex.

|rex field="line" "\"Testcode\":\"(?<id>[^\"]*)\""|table id

Extracting from = \\\"Testcode\\\":\\\"ABDEF-999\\\"

scelikok · ‎09-14-2022

@rajasplunk89 ,

Sorry, Splunk needs an extra escape for backslash;

| rex field=line "\"Testcode\S+\":\S+\"(?<id>[^\\\]+)\S+\"" | table id

If this reply helps you an upvote and "Accept as Solution" is appreciated.

rajasplunk89 · ‎09-13-2022

Is there anything I can do to resolve the error?

rajasplunk89 · ‎09-13-2022

Error in 'rex' command: Encountered the following error while compiling the regex '"Testcode\S+":\S+"(?<id>[^\]+)\S+"': Regex: missing terminating ] for character class

scelikok · ‎09-13-2022

Hi @rajasplunk89,

Below should work;

| rex field=line "\"Testcode\S+\":\S+\"(?<id>[^\\]+)\S+\"" | table id

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Why is my rex command not working?

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?