Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Another RegEx Question

lehrfeld
Path Finder
‎03-19-2014 10:08 AM

I have been engaged in an arm wresting content with Splunk for the past couple of hours with regex and it has been beating me pretty soundly. I have read the Splunk docs and looked at the various regex help sites but I can't get it working. In fact, my regex works on http://rubular.com/ just fine. But when I put it in a search is barfs.., then laughs at me.

I have weblog data and I would like to search for COMPANY\userID and place userID in a label for use down the pipeline. This is what the data looks like

2014-03-19 12:58:00 W3SVXYZ 10.0.0.1 POST COMPANY\userID 10.1.1.1 .....
2014-03-19 12:59:00 W3SVXYZ 10.0.0.1 GET COMPANY\userID 10.2.2.2 .....

I would like to extract the userID and then perform stats on them (number of concurrent users, etc).

My code so far that works in Perl is "COMPANY\\w+" but when I use it in splunk it tanks.

<base search> | rex field=_raw "COMPANY\\\w+(?<testID>)"

It does not populate the testID field correctly and it also includes results that do not have COMPANY in it.
Thanks in advance for any tips or tricks! Mike

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎03-19-2014 10:24 AM

Try this:

<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"

The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.

View solution in original post

Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎03-19-2014 10:24 AM

Try this:

<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"

The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-19-2014 11:48 AM

To escape " , we added 1 slash. To escape that slash we added another two slashes.

0 Karma
Reply
Solved! Jump to solution

lehrfeld
Path Finder
‎03-19-2014 10:59 AM

3 slashes did it! Any comment on why three are needed in this case? Thank you!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-19-2014 10:47 AM

Use 3 slashes and no space.

Reply
Solved! Jump to solution

lehrfeld
Path Finder
‎03-19-2014 10:34 AM

Thanks for the response - Using the above regex yields an error - "unmatched parentheses" But when I place a space after the double backslash the results are not correct. It almost appears that the backslash in "COMPANY\userID" is not being found by the regex

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...