Splunk Search

Regex help, using ^ character

AttarSingh1
Explorer

Hey,

 

I was trying to filter some search data in splunk using regex. I was able to figure the regex part. However when I try to input into splunk, i get an error. 
Error in 'SearchParser': Missing a search command before '\'. Error at position '321' of search query 'search index=nessus [ search index=nessus ...{snipped} {errorcontext = <paths>^([\w]+[^\w\r\}'.

 

Splunk command : | rex field=pluginText (?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)

regex link : regex101: build, test, and debug regex

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @AttarSingh1,

Please try below;

| rex max_match=0 field=pluginText "(?m)(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"

 

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @AttarSingh1,

Please try below;

| rex max_match=0 field=pluginText "(?m)(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"

 

If this reply helps you an upvote is appreciated.

AttarSingh1
Explorer

can you explain what the (?m) does

 

everything works with this. thanks a bunch

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @AttarSingh1,

Nice to hear everything works. 

(?m) is the (?<option_flag>) construct allows you to set various matching properties like case-insensitivity, multiline, greedy,

The "m" flag is for multiline data.

If this reply helps you an upvote is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

@AttarSingh1,

You should put the regex expression into double quotes like below;

| rex field=pluginText "(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"
If this reply helps you an upvote is appreciated.

AttarSingh1
Explorer

Thanks that did take care of the error, but my variable isnt storing value.

0 Karma

AttarSingh1
Explorer

Do you have any ideas on how to set regex flags /gm, in splunk. Unsure if you need to. but thats what regex101 made me do. so maybe thats the missing piece

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...