Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to regex match on back slash in character class?

frbuser
Path Finder
‎10-30-2019 07:07 AM

I am trying to use a regex to extract a PowerShell script that is being executed in a way that also includes the directory of the script.

Query
| rex field=Process_Command_Line "\w:(?<Script>[\\\w\\\\\s]+\.ps1)"

It's not working due to the way Splunk is processing the back slashes.

How do I match a literal back slash, a word character, and space within a character class in Splunk?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frbuser
Path Finder
‎10-30-2019 07:18 AM

I think I figured it out:

| rex field=Process_Command_Line "(?<Script>\w:[-\w\s\\\]+\.ps1)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

frbuser
Path Finder
‎10-30-2019 07:18 AM

I think I figured it out:

| rex field=Process_Command_Line "(?<Script>\w:[-\w\s\\\]+\.ps1)"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...