Hey,
I was trying to filter some search data in splunk using regex. I was able to figure the regex part. However when I try to input into splunk, i get an error.
Error in 'SearchParser': Missing a search command before '\'. Error at position '321' of search query 'search index=nessus [ search index=nessus ...{snipped} {errorcontext = <paths>^([\w]+[^\w\r\}'.
Splunk command : | rex field=pluginText (?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)
regex link : regex101: build, test, and debug regex
Hi @AttarSingh1,
Please try below;
| rex max_match=0 field=pluginText "(?m)(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"
Hi @AttarSingh1,
Please try below;
| rex max_match=0 field=pluginText "(?m)(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"
can you explain what the (?m) does
everything works with this. thanks a bunch
Hi @AttarSingh1,
Nice to hear everything works.
(?m) is the (?<option_flag>) construct allows you to set various matching properties like case-insensitivity, multiline, greedy,
The "m" flag is for multiline data.
You should put the regex expression into double quotes like below;
| rex field=pluginText "(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"
Thanks that did take care of the error, but my variable isnt storing value.
Do you have any ideas on how to set regex flags /gm, in splunk. Unsure if you need to. but thats what regex101 made me do. so maybe thats the missing piece