Splunk Search

Another RegEx Question

lehrfeld
Path Finder

I have been engaged in an arm wresting content with Splunk for the past couple of hours with regex and it has been beating me pretty soundly. I have read the Splunk docs and looked at the various regex help sites but I can't get it working. In fact, my regex works on http://rubular.com/ just fine. But when I put it in a search is barfs.., then laughs at me.

I have weblog data and I would like to search for COMPANY\userID and place userID in a label for use down the pipeline. This is what the data looks like

2014-03-19 12:58:00 W3SVXYZ 10.0.0.1 POST COMPANY\userID 10.1.1.1 .....
2014-03-19 12:59:00 W3SVXYZ 10.0.0.1 GET COMPANY\userID 10.2.2.2 .....

I would like to extract the userID and then perform stats on them (number of concurrent users, etc).

My code so far that works in Perl is "COMPANY\\w+" but when I use it in splunk it tanks.

<base search> | rex field=_raw "COMPANY\\\w+(?<testID>)"

It does not populate the testID field correctly and it also includes results that do not have COMPANY in it.
Thanks in advance for any tips or tricks! Mike

0 Karma
1 Solution

wpreston
Motivator

Try this:

<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"

The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.

View solution in original post

wpreston
Motivator

Try this:

<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"

The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.

somesoni2
Revered Legend

To escape " , we added 1 slash. To escape that slash we added another two slashes.

0 Karma

lehrfeld
Path Finder

3 slashes did it! Any comment on why three are needed in this case? Thank you!

0 Karma

somesoni2
Revered Legend

Use 3 slashes and no space.

lehrfeld
Path Finder

Thanks for the response - Using the above regex yields an error - "unmatched parentheses" But when I place a space after the double backslash the results are not correct. It almost appears that the backslash in "COMPANY\userID" is not being found by the regex

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...