Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex field != expression not matching
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a query where I am performing regex matching on two different fields, field1 and field2. index=proxylogs uri!=aa.*|regex field1=".*abc\..*|.*api\..*"|regex field2!="(?i)abc\\xyz[a-z0-9]{5}|(?i)abc\\kkr[a-z0-9]{6}"|.... Field 1 matches with the regex pattern and provides results that have matching values. However, field 2 doesn't work as I am getting the results that do match the regex of field2 and not discarding them. According to the '!=', the values that match that particular regex shouldn't be present in the result of the query, but they are. So, it isn't working as it supposed to. I have tested the regex elsewhere and it is correct. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I think you may need to double-escape the backslash in your second regex. As a test, I tried this:
| makeresults
| eval field1="api.twitter.com"
| eval field2="ABC\xyz1aul4"
| regex field2!="(?i)abc\\\xyz[a-z0-9]{5}"
Which worked (i.e. it returned no results).
Likewise just invert the logic to see if it does match:
| regex field2="(?i)abc\\\xyz[a-z0-9]{5}"
See if that does it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I think you may need to double-escape the backslash in your second regex. As a test, I tried this:
| makeresults
| eval field1="api.twitter.com"
| eval field2="ABC\xyz1aul4"
| regex field2!="(?i)abc\\\xyz[a-z0-9]{5}"
Which worked (i.e. it returned no results).
Likewise just invert the logic to see if it does match:
| regex field2="(?i)abc\\\xyz[a-z0-9]{5}"
See if that does it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup. That worked. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post an example event please? One that should be filtered out by the second regex command but is not?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used stats in the query so I have a statistics table with selected fields. So, an example of the result which shouldn't be there would be
field1 field2
api.twitter.com ABC\xyz1aul4
This should ideally be avoided since it matches the second field's regex but it hasn't
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
