- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extraction With Backslash
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am attempting to extract a user field from a log file using the following regex:
(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+)
Here is a sample event:
"Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"
This regex works correctly in regex101 and returns only the username as desired "username". This doesn't find a match in Splunk and I can only seem to get the extraction to work if I omit the backslash and extract the user field as "DOMAIN\username". What is the correct syntax in Splunk to escape a backslash?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please try this,
| makeresults | eval test="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111" | rex field=test "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+\w+.(?P<user>[^,]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using \x5c:
user:\s+DOMAIN\x5c(?P<user>[^\,]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please try this,
| makeresults | eval test="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111" | rex field=test "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+\w+.(?P<user>[^,]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just use 3 backslash, like this
(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\(?P<user>[^,]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 backslashes in the field extraction give me the following error:
Error in 'rex' command: Encountered the following error while compiling the regex '(?ms)(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P[^,]+)': Regex: unmatched closing parenthesis
In the error, it also seems to add more backslashes even though I only have 3 in my original regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually try with 4 backslash only.
(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\\(?P<user>[^,]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try three back-slash
This one is working perfectly fine.
| makeresults
| eval _raw="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"
| rex "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\(?P<user>[^,]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your suggestion works in regular search, but I receive the following error within the field extraction:
Error in 'rex' command: Encountered the following error while compiling the regex '(?ms)(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P[^,]+)': Regex: unmatched closing parenthesis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I tried in my splunk instance with you regex (?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+), it's working perfectly fine and I have indexed sample data which you have provided and it is extracting user field.
Are you providing sourcetype OR source with correct value while creating field extraction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am providing sourcetype.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
