Splunk Search

Field Extraction With Backslash

michaeldeck
Engager

I am attempting to extract a user field from a log file using the following regex:

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+)

Here is a sample event:
"Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"

This regex works correctly in regex101 and returns only the username as desired "username". This doesn't find a match in Splunk and I can only seem to get the extraction to work if I omit the backslash and extract the user field as "DOMAIN\username". What is the correct syntax in Splunk to escape a backslash?

0 Karma
1 Solution

sbbadri
Motivator

@michaeldeck

please try this,

| makeresults | eval test="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111" | rex field=test "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+\w+.(?P<user>[^,]+)"

View solution in original post

wenthold
Communicator

Try using \x5c:

user:\s+DOMAIN\x5c(?P<user>[^\,]+)
0 Karma

sbbadri
Motivator

@michaeldeck

please try this,

| makeresults | eval test="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111" | rex field=test "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+\w+.(?P<user>[^,]+)"

somesoni2
SplunkTrust
SplunkTrust

Just use 3 backslash, like this

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\(?P<user>[^,]+)
0 Karma

michaeldeck
Engager

3 backslashes in the field extraction give me the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?ms)(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P[^,]+)': Regex: unmatched closing parenthesis

In the error, it also seems to add more backslashes even though I only have 3 in my original regex.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Actually try with 4 backslash only.

(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\\(?P<user>[^,]+)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Try three back-slash

This one is working perfectly fine.

| makeresults 
| eval _raw="Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"
| rex "(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\\(?P<user>[^,]+)"

michaeldeck
Engager

Your suggestion works in regular search, but I receive the following error within the field extraction:

Error in 'rex' command: Encountered the following error while compiling the regex '(?ms)(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P[^,]+)': Regex: unmatched closing parenthesis

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

When I tried in my splunk instance with you regex (?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+), it's working perfectly fine and I have indexed sample data which you have provided and it is extracting user field.

Are you providing sourcetype OR source with correct value while creating field extraction?

0 Karma

michaeldeck
Engager

I am providing sourcetype.

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...