Solved: Regex Error with Splunk SOAR/Phantom

luffy · ‎09-24-2025

I have a regex to extract filename from object field. This works completely fine in Search.
index="test" | rex field=object "(?P<fileName>[^\\\]+)$"

However, when I try to input the below custom code in Splunk SOAR, it always returns an error "HTTP 400 Bad Request -- Error in 'rex' command: Encountered the following error while compiling the regex '(?P<fileName>[^\\]+)$': Regex: missing terminating ] for character class."

sql_search_query=rf"""
index="test"
| rex field=object "(?P<fileName>[^\\\]+)$"
"""
parameters = []
parameters.append({
"command": "search",
"search_mode": "smart",
"add_raw_field": False,
"query": sql_search_query,
"parse_only": True,
"start_time": "-90d",
"end_time": 0,
})

PrewinThomas · ‎09-24-2025

@luffy

Looks like escape character causing the issue. Can you try double escaping

sql_search_query = """
index="test"
| rex field=object "(?P<fileName>[^\\\\]+)$"
"""

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

PrewinThomas · ‎09-24-2025

@luffy

Looks like escape character causing the issue. Can you try double escaping

sql_search_query = """
index="test"
| rex field=object "(?P<fileName>[^\\\\]+)$"
"""

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Regex Error with Splunk SOAR/Phantom

field extraction

other

regex

rex

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation