Solved: Regex Error with Splunk SOAR/Phantom

luffy · ‎09-24-2025

I have a regex to extract filename from object field. This works completely fine in Search.
index="test" | rex field=object "(?P<fileName>[^\\\]+)$"

However, when I try to input the below custom code in Splunk SOAR, it always returns an error "HTTP 400 Bad Request -- Error in 'rex' command: Encountered the following error while compiling the regex '(?P<fileName>[^\\]+)$': Regex: missing terminating ] for character class."

sql_search_query=rf"""
index="test"
| rex field=object "(?P<fileName>[^\\\]+)$"
"""
parameters = []
parameters.append({
"command": "search",
"search_mode": "smart",
"add_raw_field": False,
"query": sql_search_query,
"parse_only": True,
"start_time": "-90d",
"end_time": 0,
})

PrewinThomas · ‎09-24-2025

@luffy

Looks like escape character causing the issue. Can you try double escaping

sql_search_query = """
index="test"
| rex field=object "(?P<fileName>[^\\\\]+)$"
"""

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

PrewinThomas · ‎09-24-2025

@luffy

Looks like escape character causing the issue. Can you try double escaping

sql_search_query = """
index="test"
| rex field=object "(?P<fileName>[^\\\\]+)$"
"""

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Regex Error with Splunk SOAR/Phantom

field extraction

other

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation