Why is my rex command not working?

rajasplunk89 · ‎09-13-2022

Hi all,

I am trying to extract field ABDEF-999 in the name Id. But its not extracting when I use below commands. Could someone guide on what's the mistake in following rex.

|rex field="line" "\"Testcode\":\"(?<id>[^\"]*)\""|table id

Extracting from = \\\"Testcode\\\":\\\"ABDEF-999\\\"

scelikok · ‎09-14-2022

@rajasplunk89 ,

Sorry, Splunk needs an extra escape for backslash;

| rex field=line "\"Testcode\S+\":\S+\"(?<id>[^\\\]+)\S+\"" | table id

If this reply helps you an upvote and "Accept as Solution" is appreciated.

rajasplunk89 · ‎09-13-2022

Is there anything I can do to resolve the error?

rajasplunk89 · ‎09-13-2022

Error in 'rex' command: Encountered the following error while compiling the regex '"Testcode\S+":\S+"(?<id>[^\]+)\S+"': Regex: missing terminating ] for character class

scelikok · ‎09-13-2022

Hi @rajasplunk89,

Below should work;

| rex field=line "\"Testcode\S+\":\S+\"(?<id>[^\\]+)\S+\"" | table id

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Why is my rex command not working?

troubleshooting

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?

Why is my rex command not working?

troubleshooting

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025