Solved: How to escape double backslash in rex/regex comman...

ixixix_spl · ‎09-05-2018

I'm having some serious difficulty in figuring out how to escape a double backslash within the REX/regex spl command..
The following regex works on regex101 "title\\\\\"\:\\\\\"(?<event>[^\)].*)\\\\\"\,\\\\\"selection" when extracting the log snippet below to get the "Button Title" text:

"partyId\":\"lahflkhasdljkflkf\",\"title\”:\”Button Title\”,\”selectionType\":\"button\
I found a suggestion on "Tricky behavior of escaping backslash in regex" to \\ to match a single \ but that didn't do the trick. Anyone have advice on how to escape a double backslash in the rex command, and if so please post the regex below!

Thanks!

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

View solution in original post

ixixix_spl · ‎09-05-2018

wow that was quick thanks!!!

How to escape double backslash in rex/regex command?

Re: How to escape double backslash in rex/regex command?

Re: How to escape double backslash in rex/regex command?

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.

Share your experience in our
Career Survey Now!

How to escape double backslash in rex/regex command?

Re: How to escape double backslash in rex/regex command?

Re: How to escape double backslash in rex/regex command?

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.

Share your experience in our Career Survey Now!

Share your experience in our
Career Survey Now!