Help with rex- Unbalanced quotes when there are \ ...

jhcbazinga95 · ‎10-27-2022

Hey community,

Can someone help me out with a rex related question! Many many thanks!

I am trying to rex the V1 out of a sample string and I have tried catalogVersion\\":\\"(?P<catalogVersion>[^ ]+)\\",

In regex101, it is working, However, I am getting a Unbalanced quotes error in Splunk.

sample string

\"transferDisconnectReasons\":null,\"catalogVersion\":\"V1\",\"accountCustomerDetails\"

Cheers!

jotne · ‎10-28-2022

In Splunk regex, if escaping does not work, add more \ until id does work 😉

johnhuang · ‎10-27-2022

Yea, this is a pain.

1. You can double escape each backslash and escape each quotes. You'll end up with something like this:

| rex field=_raw "catalogVersion\\\\\":\\\\\"(?P<catalogVersion>[^ ]+)\\\\\","

2. Or you can replace all the backslash in the data which makes it easier to parse:

| rex field=_raw mode=sed "s/\\\//g"
| rex field=_raw "catalogVersion\":\"(?P<catalogVersion>[^\"]*)"

3. Or you can substitute value of \ and " with its unicode hex equivalent

| rex field=_raw "catalogVersion\x5c\x22:\x5c\x22(?P<catalogVersion>[^ ]+)\x5c\x22,"

Help with rex- Unbalanced quotes when there are \ and " in string