Solved: How to escape double backslash in rex/regex comman...

ixixix_spl · ‎09-05-2018

I'm having some serious difficulty in figuring out how to escape a double backslash within the REX/regex spl command..
The following regex works on regex101 "title\\\\\"\:\\\\\"(?<event>[^\)].*)\\\\\"\,\\\\\"selection" when extracting the log snippet below to get the "Button Title" text:

"partyId\":\"lahflkhasdljkflkf\",\"title\”:\”Button Title\”,\”selectionType\":\"button\
I found a suggestion on "Tricky behavior of escaping backslash in regex" to \\ to match a single \ but that didn't do the trick. Anyone have advice on how to escape a double backslash in the rex command, and if so please post the regex below!

Thanks!

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

View solution in original post

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

ixixix_spl · ‎09-05-2018

wow that was quick thanks!!!

How to escape double backslash in rex/regex command?

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Are you a member of the Splunk Community?

How to escape double backslash in rex/regex command?

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement