Regex: Why am I getting this syntax error in subpa...

Jewatson17 · ‎02-12-2018

I keep getting the missing terminator error when trying to parse. I am not sure whats the problem

Here is my regex:

| rex field=referer "/en-US/app(?<<app>>[^/]+)/(?<<dashboard>&g>;[^?/\s]+)"

gcusello · ‎02-12-2018

Hi Jewatson17,
could you share an example of the log to parse?
it seems that you want to parse the address of a dashboard,
if this is true probably the problem is a missed slash (/) and something elase, try something like this:

| rex field=referer "/en-US/app/(?<my_app>[^/]+)/(?<my_dashboard>[^?/ ]+)"

Bye.
Giuseppe

Jewatson17 · ‎02-12-2018

I'm trying to pull the usage of ALL the dashboards in my environment.

493669 · ‎02-12-2018

Hi @Jewatson17,
Try this:

| rex field=referer "\/en-US\/app\/(?<app>[^\/]+)\/(?<dashboard>[^?]+)"

FrankVl · ‎02-12-2018

Escaping the forward slashes is not even necessary I think. Key thing to fix is the redundant characters and the &g and ; in the dashboard field extraction.

Regex: Why am I getting this syntax error in subpattern name (missing terminator)?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Regex: Why am I getting this syntax error in subpattern name (missing terminator)?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience