Splunk Search

Another RegEx Question

lehrfeld
Path Finder

I have been engaged in an arm wresting content with Splunk for the past couple of hours with regex and it has been beating me pretty soundly. I have read the Splunk docs and looked at the various regex help sites but I can't get it working. In fact, my regex works on http://rubular.com/ just fine. But when I put it in a search is barfs.., then laughs at me.

I have weblog data and I would like to search for COMPANY\userID and place userID in a label for use down the pipeline. This is what the data looks like

2014-03-19 12:58:00 W3SVXYZ 10.0.0.1 POST COMPANY\userID 10.1.1.1 .....
2014-03-19 12:59:00 W3SVXYZ 10.0.0.1 GET COMPANY\userID 10.2.2.2 .....

I would like to extract the userID and then perform stats on them (number of concurrent users, etc).

My code so far that works in Perl is "COMPANY\\w+" but when I use it in splunk it tanks.

<base search> | rex field=_raw "COMPANY\\\w+(?<testID>)"

It does not populate the testID field correctly and it also includes results that do not have COMPANY in it.
Thanks in advance for any tips or tricks! Mike

0 Karma
1 Solution

wpreston
Motivator

Try this:

<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"

The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.

View solution in original post

wpreston
Motivator

Try this:

<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"

The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.

somesoni2
Revered Legend

To escape " , we added 1 slash. To escape that slash we added another two slashes.

0 Karma

lehrfeld
Path Finder

3 slashes did it! Any comment on why three are needed in this case? Thank you!

0 Karma

somesoni2
Revered Legend

Use 3 slashes and no space.

lehrfeld
Path Finder

Thanks for the response - Using the above regex yields an error - "unmatched parentheses" But when I place a space after the double backslash the results are not correct. It almost appears that the backslash in "COMPANY\userID" is not being found by the regex

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...