Splunk Search

How do you use regex to escape a backslash?

jacqu3sy
Path Finder

Hi,

I have the following regex which works on regex101, but gives me an error when I try and use this within a Splunk query. Not sure if it's the fact that Im trying to escape the backslash that's causing the issue.

I have the field;

"UserName\a123456"

And I want to extract this into a field called NewUserName where it equals everything after the \ and up to closing quotes. So

NewUserName should be;

a123456

As I said, it works on Regex101 with the following;

"ADMIN\\*(?P[^"]*)"

But when I try it in Splunk via;

| rex field=_raw "ADMIN\\*(?P[^"]*)"

I get the error;

Mismatched ']' 

Any ideas?

0 Karma
1 Solution

vnravikumar
Champion

Hi @jacqu3sy

Try this

| makeresults 
   | eval msg="UserName\a123456" | rex field=msg "\\\(?P<NewUserName>.*)"

View solution in original post

kushagra9120
Explorer

I think this should work as it will only pick the string in format "UserName\a123456" and not any string that starts with backslash :-

rex field =_raw "^".\(?P.)\""

0 Karma

mydog8it
Builder

I don't see your regex working in regex101 with the sample provided. This regex matches your sample in regex101...
UserName\(?P[^"]*)

so perhaps this would work in Splunk...
rex field=_raw "UserName\(?P[^"]*)"

0 Karma

vnravikumar
Champion

Hi @jacqu3sy

Try this

| makeresults 
   | eval msg="UserName\a123456" | rex field=msg "\\\(?P<NewUserName>.*)"

Ganesh_Udar
Engager

Great , ! Thank you so much.

0 Karma

jacqu3sy
Path Finder

Thanks. That worked. Not sure why it needs 3 backslashes though?! Think thats what caught me out. And could you explain what the P after the ? is for?

Thanks.

0 Karma

vnravikumar
Champion

(?P<>) is a named group which stores the extracted value.

0 Karma

woodcock
Esteemed Legend

The P is not necessary in Splunk's implementation of RegEx, but it is harmless (and distracting). I never use it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...