Solved: Regex Error with Splunk SOAR/Phantom

luffy

I have a regex to extract filename from object field. This works completely fine in Search.
index="test" | rex field=object "(?P<fileName>[^\\\]+)$"

However, when I try to input the below custom code in Splunk SOAR, it always returns an error "HTTP 400 Bad Request -- Error in 'rex' command: Encountered the following error while compiling the regex '(?P<fileName>[^\\]+)$': Regex: missing terminating ] for character class."

sql_search_query=rf"""
index="test"
| rex field=object "(?P<fileName>[^\\\]+)$"
"""
parameters = []
parameters.append({
"command": "search",
"search_mode": "smart",
"add_raw_field": False,
"query": sql_search_query,
"parse_only": True,
"start_time": "-90d",
"end_time": 0,
})

PrewinThomas

@luffy

Looks like escape character causing the issue. Can you try double escaping

sql_search_query = """
index="test"
| rex field=object "(?P<fileName>[^\\\\]+)$"
"""

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

PrewinThomas

@luffy

Looks like escape character causing the issue. Can you try double escaping

sql_search_query = """
index="test"
| rex field=object "(?P<fileName>[^\\\\]+)$"
"""

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Regex Error with Splunk SOAR/Phantom

field extraction

other

regex

rex

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?