Solved: Re: Field Extraction With Backslash

michaeldeck · ‎12-07-2017

I am attempting to extract a user field from a log file using the following regex:

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+)

Here is a sample event:
"Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"

This regex works correctly in regex101 and returns only the username as desired "username". This doesn't find a match in Splunk and I can only seem to get the extraction to work if I omit the backslash and extract the user field as "DOMAIN\username". What is the correct syntax in Splunk to escape a backslash?

sbbadri · ‎12-07-2017

@michaeldeck

please try this,

| makeresults | eval test="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111" | rex field=test "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+\w+.(?P<user>[^,]+)"

View solution in original post

wenthold · ‎12-07-2017

Try using \x5c:

user:\s+DOMAIN\x5c(?P<user>[^\,]+)

sbbadri · ‎12-07-2017

@michaeldeck

please try this,

| makeresults | eval test="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111" | rex field=test "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+\w+.(?P<user>[^,]+)"

somesoni2 · ‎12-07-2017

Just use 3 backslash, like this

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\(?P<user>[^,]+)

michaeldeck · ‎12-07-2017

3 backslashes in the field extraction give me the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?ms)(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P[^,]+)': Regex: unmatched closing parenthesis

In the error, it also seems to add more backslashes even though I only have 3 in my original regex.

somesoni2 · ‎12-07-2017

Actually try with 4 backslash only.

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\\(?P<user>[^,]+)

harsmarvania57 · ‎12-07-2017

Try three back-slash

This one is working perfectly fine.

| makeresults 
| eval _raw="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"
| rex "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\(?P<user>[^,]+)"

michaeldeck · ‎12-07-2017

Your suggestion works in regular search, but I receive the following error within the field extraction:

Error in 'rex' command: Encountered the following error while compiling the regex '(?ms)(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P[^,]+)': Regex: unmatched closing parenthesis

harsmarvania57 · ‎12-07-2017

When I tried in my splunk instance with you regex (?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+), it's working perfectly fine and I have indexed sample data which you have provided and it is extracting user field.

Are you providing sourcetype OR source with correct value while creating field extraction?

michaeldeck · ‎12-07-2017

I am providing sourcetype.

Field Extraction With Backslash

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor