Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I write the regular expression to extract fields separated by a backslash?

macoo
Explorer
‎11-09-2015 08:26 AM

Hi Community,

I'm struggling with a regex expression. I'm trying to extract fields (seperated by \) into the three new fields. I tried the following but with no luck:

Data: \ValueA\ValueB\ValueC\ValueD...

RegEx: rex field=InputField "\\(?<Output1>.*)\\(?<Output2>.*)\\(?<Output3>.*)\\"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2015 09:39 AM

Regex101.com successfully parses your sample data with regex string you provided. What results are you getting and what are you expecting?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

macoo
Explorer
‎11-10-2015 01:06 AM

Well, it works in regex101.com but fail in Splunk with the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '\(?.*)\(?.*)\(?.*)\': Regex: unmatched parentheses

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2015 07:01 AM

That error message usually means an escape character is missing. The board messed up your regex string, however, so it's impossible to tell where the error might be. Please re-post your entire rex command by enclosing it within backtics.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...