How do I write the regular expression to extract f...

macoo · ‎11-09-2015

Hi Community,

I'm struggling with a regex expression. I'm trying to extract fields (seperated by \) into the three new fields. I tried the following but with no luck:

Data: \ValueA\ValueB\ValueC\ValueD...

RegEx: rex field=InputField "\\(?<Output1>.*)\\(?<Output2>.*)\\(?<Output3>.*)\\"

richgalloway · ‎11-09-2015

Regex101.com successfully parses your sample data with regex string you provided. What results are you getting and what are you expecting?

---
If this reply helps you, Karma would be appreciated.

macoo · ‎11-10-2015

Well, it works in regex101.com but fail in Splunk with the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '\(?.*)\(?.*)\(?.*)\': Regex: unmatched parentheses

richgalloway · ‎11-10-2015

That error message usually means an escape character is missing. The board messed up your regex string, however, so it's impossible to tell where the error might be. Please re-post your entire rex command by enclosing it within backtics.

---
If this reply helps you, Karma would be appreciated.

How do I write the regular expression to extract fields separated by a backslash?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation