Solved: Another rex field with backslashes question.

rfiscus · ‎01-25-2021

I can test

\\[\w]+\\[\w]+\\(?<File_Path>.+) or simply \\\w+\\\w+\\(?<File_Path>.+)

in Rex101 and it works fine

In Splunk, | rex field=_raw "\[\w]+\[\w]+\(?<File_Path>.+)"

I get Regex: unmatched closing parenthesis.

What would be the proper way to escape the backslashes in Splunk, I have search for examples but with no definitive answers?

Raw data:

Application Information:
Process ID: 3160
Application Name: \device\harddiskvolume4\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe

Network Information:
Direction: Outbound

I just want the output to be:

program files\common files\microsoft shared\clicktorun\officeclicktorun.exe

in this example.

rfiscus · ‎01-25-2021

Haha, I tried two and four, apparently didn't try three. Thanks!

View solution in original post

scelikok · ‎01-25-2021

Hi @rfiscus,

You should add one more backslash for escape backslash like below;

| rex field=_raw "\\\[\w]+\\\[\w]+\\\(?<File_Path>.+)"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

rfiscus · ‎01-25-2021

Haha, I tried two and four, apparently didn't try three. Thanks!

Another rex field with backslashes question.

field extraction

regex

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor