Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my rex command not working?

rajasplunk89
Engager
‎09-13-2022 09:44 PM

Hi all,

I am trying to extract field ABDEF-999 in the name Id. But its not extracting when I use below commands. Could someone guide on what's the mistake in following rex.

|rex field="line" "\"Testcode\":\"(?<id>[^\"]*)\""|table id

 

Extracting from =   \\\"Testcode\\\":\\\"ABDEF-999\\\"

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-14-2022 02:05 AM

@rajasplunk89 ,

Sorry, Splunk needs an extra escape for backslash; 

| rex field=line "\"Testcode\S+\":\S+\"(?<id>[^\\\]+)\S+\"" | table id
If this reply helps you an upvote is appreciated.
0 Karma
Reply

rajasplunk89
Engager
‎09-13-2022 10:26 PM

Is there anything I can do to resolve the error?

0 Karma
Reply

rajasplunk89
Engager
‎09-13-2022 10:05 PM

Error in 'rex' command: Encountered the following error while compiling the regex '"Testcode\S+":\S+"(?<id>[^\]+)\S+"': Regex: missing terminating ] for character class

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-13-2022 09:52 PM

Hi @rajasplunk89,

Below should work;

| rex field=line "\"Testcode\S+\":\S+\"(?<id>[^\\]+)\S+\"" | table id
If this reply helps you an upvote is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...