Splunk Search

Howto escape double quote in regex when using rex

jmartens
Path Finder

I have the following regex that I (currently) use at search time (it will be a field extraction once I get it ironed out):

User\[(?:(?<SignOffDomain>[^\\]+)(?:\\))?(?<SignOffUsername>[^\]]+)[^\[]+\[\"(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)

It seems to work OK on regex101: https://regex101.com/r/nGdKxQ/5 but fails when trying to parse in Splunk with the following error:

Error in 'rex' command: Encountered the following error while compiling the regex 'User\[(?:(?<SignOffDomain>[^\]+)(?:\))?(?<SignOffUsername>[^\]]+)[^\[]+\["(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)': Regex: missing closing parenthesis.

Any clue on what I need to escape additionally perhaps?

For testing I created the following sample:

| makeresults count=2
| streamstats count
| eval _raw=if((count%2) == 1, "2025-01-20 08:43:11 Local0 Info 08:43:11:347 HAL-TRT-SN1701 DOMAIN\firstname0.lastname0|4832|TXA HIPAA [1m]HIPAALogging: User[DOMAIN\firstname0.lastname0], Comment[\"Successfully authenticated user with privilege: A_Dummy_Privilege\"], PatientId[PatientIdX], PlanUID[PlanLabel:PlabnLabelX,PlanInstanceUID:PlanInstanceUIDX", "2025-01-20 07:54:42 Local0 Info 07:54:41:911 HAL-TRT-SN1701 domain\firstanme2.lastname2|4832|TXA HIPAA [1m]HIPAALogging: User[firstname1.lastname1], Comment[\"Successfully authenticated user with privilege: AnotherPrivilege\"], PatientId[], PlanUID[], Right[True]")
| rex field="_raw" "User\[(?:(?<SignOffDomain>[^\\]+)(?:\\))?(?<SignOffUsername>[^\]]+)[^\[]+\[\"(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)"

 

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @jmartens ,

this is a bug that I noticed to Splunk Support but they said that's ok!

Anyway, when you need to escape a backslash in Splunk in a regex that runs in regex101, you have to add one ot two additional backslashes in Splunk every time you jave a backslash.

So try

<pre>User\[(?:(?<SignOffDomain>[^\\\]+)(?:\\\))?(?<SignOffUsername>[^\]]+)[^\[]+\[\"(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)</pre>

Ciao.

Giuseppe

View solution in original post

0 Karma

jmartens
Path Finder

Thanks @gcusello. I am aware that I need to escape stuff, problem is I do not see where I might have missed one, I already escaped a lot, at least what was required on regex101.

It seems your solution works, will continue with that. Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jmartens ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jmartens ,

this is a bug that I noticed to Splunk Support but they said that's ok!

Anyway, when you need to escape a backslash in Splunk in a regex that runs in regex101, you have to add one ot two additional backslashes in Splunk every time you jave a backslash.

So try

<pre>User\[(?:(?<SignOffDomain>[^\\\]+)(?:\\\))?(?<SignOffUsername>[^\]]+)[^\[]+\[\"(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)</pre>

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...