Solved: How to escape double backslash in rex/regex comman...

ixixix_spl · ‎09-05-2018

I'm having some serious difficulty in figuring out how to escape a double backslash within the REX/regex spl command..
The following regex works on regex101 "title\\\\\"\:\\\\\"(?<event>[^\)].*)\\\\\"\,\\\\\"selection" when extracting the log snippet below to get the "Button Title" text:

"partyId\":\"lahflkhasdljkflkf\",\"title\”:\”Button Title\”,\”selectionType\":\"button\
I found a suggestion on "Tricky behavior of escaping backslash in regex" to \\ to match a single \ but that didn't do the trick. Anyone have advice on how to escape a double backslash in the rex command, and if so please post the regex below!

Thanks!

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

View solution in original post

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

ixixix_spl · ‎09-05-2018

wow that was quick thanks!!!

How to escape double backslash in rex/regex command?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to escape double backslash in rex/regex command?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?