Splunk Search

Incorrect Regex

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I've created this regex \"Surname\\":\\"(?<SName>[^"]+)\\" which extracts the Surname from the following raw data:

"Surname\":\"SMITH\"

This works fine in Regex101, but I when I add this to my query here:

auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\\":\\"(?<SName>[^"]+)\\""

I receive the following error:

Mismatched ']'.

I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

"Surname":"(?<SName>[^"]+)"

And this:

auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\":\"(?<SName>[^\"]+)\""

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

"Surname":"(?<SName>[^"]+)"

And this:

auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\":\"(?<SName>[^\"]+)\""
0 Karma

IRHM73
Motivator

Hi @woodcock thank you for coming back to me with the solution.

Kind regards

Chris

0 Karma

stephanefotso
Motivator

Hello try this: auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\":\"(?[^\"]+)\""

SGF
0 Karma

IRHM73
Motivator

Hi thank you for coming back to me with this, but unfortunately I still receive the same error.

I'm able to get past the error using rex field=_raw "\"Surname\":\"(?[^\"]+)\"" but it is not extracting any information.

Kind Regards

Chris

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...