Splunk Search

Howto escape double quote in regex when using rex

jmartens
Path Finder

I have the following regex that I (currently) use at search time (it will be a field extraction once I get it ironed out):

User\[(?:(?<SignOffDomain>[^\\]+)(?:\\))?(?<SignOffUsername>[^\]]+)[^\[]+\[\"(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)

It seems to work OK on regex101: https://regex101.com/r/nGdKxQ/5 but fails when trying to parse in Splunk with the following error:

Error in 'rex' command: Encountered the following error while compiling the regex 'User\[(?:(?<SignOffDomain>[^\]+)(?:\))?(?<SignOffUsername>[^\]]+)[^\[]+\["(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)': Regex: missing closing parenthesis.

Any clue on what I need to escape additionally perhaps?

For testing I created the following sample:

| makeresults count=2
| streamstats count
| eval _raw=if((count%2) == 1, "2025-01-20 08:43:11 Local0 Info 08:43:11:347 HAL-TRT-SN1701 DOMAIN\firstname0.lastname0|4832|TXA HIPAA [1m]HIPAALogging: User[DOMAIN\firstname0.lastname0], Comment[\"Successfully authenticated user with privilege: A_Dummy_Privilege\"], PatientId[PatientIdX], PlanUID[PlanLabel:PlabnLabelX,PlanInstanceUID:PlanInstanceUIDX", "2025-01-20 07:54:42 Local0 Info 07:54:41:911 HAL-TRT-SN1701 domain\firstanme2.lastname2|4832|TXA HIPAA [1m]HIPAALogging: User[firstname1.lastname1], Comment[\"Successfully authenticated user with privilege: AnotherPrivilege\"], PatientId[], PlanUID[], Right[True]")
| rex field="_raw" "User\[(?:(?<SignOffDomain>[^\\]+)(?:\\))?(?<SignOffUsername>[^\]]+)[^\[]+\[\"(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)"

 

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @jmartens ,

this is a bug that I noticed to Splunk Support but they said that's ok!

Anyway, when you need to escape a backslash in Splunk in a regex that runs in regex101, you have to add one ot two additional backslashes in Splunk every time you jave a backslash.

So try

<pre>User\[(?:(?<SignOffDomain>[^\\\]+)(?:\\\))?(?<SignOffUsername>[^\]]+)[^\[]+\[\"(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)</pre>

Ciao.

Giuseppe

View solution in original post

0 Karma

jmartens
Path Finder

Thanks @gcusello. I am aware that I need to escape stuff, problem is I do not see where I might have missed one, I already escaped a lot, at least what was required on regex101.

It seems your solution works, will continue with that. Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jmartens ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jmartens ,

this is a bug that I noticed to Splunk Support but they said that's ok!

Anyway, when you need to escape a backslash in Splunk in a regex that runs in regex101, you have to add one ot two additional backslashes in Splunk every time you jave a backslash.

So try

<pre>User\[(?:(?<SignOffDomain>[^\\\]+)(?:\\\))?(?<SignOffUsername>[^\]]+)[^\[]+\[\"(?<SignOffComment>[^\:]+)\:\s+(?<SignOffPrivilege>[^\"]+)</pre>

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...