I have been engaged in an arm wresting content with Splunk for the past couple of hours with regex and it has been beating me pretty soundly. I have read the Splunk docs and looked at the various regex help sites but I can't get it working. In fact, my regex works on http://rubular.com/ just fine. But when I put it in a search is barfs.., then laughs at me.
I have weblog data and I would like to search for COMPANY\userID and place userID in a label for use down the pipeline. This is what the data looks like
2014-03-19 12:58:00 W3SVXYZ 10.0.0.1 POST COMPANY\userID 10.1.1.1 .....
2014-03-19 12:59:00 W3SVXYZ 10.0.0.1 GET COMPANY\userID 10.2.2.2 .....
I would like to extract the userID and then perform stats on them (number of concurrent users, etc).
My code so far that works in Perl is "COMPANY\\w+" but when I use it in splunk it tanks.
<base search> | rex field=_raw "COMPANY\\\w+(?<testID>)"
It does not populate the testID field correctly and it also includes results that do not have COMPANY in it.
Thanks in advance for any tips or tricks! Mike
Try this:
<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"
The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.
Try this:
<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"
The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.
To escape " , we added 1 slash. To escape that slash we added another two slashes.
3 slashes did it! Any comment on why three are needed in this case? Thank you!
Use 3 slashes and no space.
Thanks for the response - Using the above regex yields an error - "unmatched parentheses" But when I place a space after the double backslash the results are not correct. It almost appears that the backslash in "COMPANY\userID" is not being found by the regex